2 * Routines for smb2 packet dissection
5 * For documentation of this protocol, see:
7 * http://wiki.wireshark.org/SMB2
8 * http://msdn.microsoft.com/en-us/library/cc246482(PROT.10).aspx
10 * If you edit this file, keep the wiki updated as well.
14 * Wireshark - Network traffic analyzer
15 * By Gerald Combs <gerald@wireshark.org>
16 * Copyright 1998 Gerald Combs
18 * This program is free software; you can redistribute it and/or
19 * modify it under the terms of the GNU General Public License
20 * as published by the Free Software Foundation; either version 2
21 * of the License, or (at your option) any later version.
23 * This program is distributed in the hope that it will be useful,
24 * but WITHOUT ANY WARRANTY; without even the implied warranty of
25 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 * GNU General Public License for more details.
28 * You should have received a copy of the GNU General Public License
29 * along with this program; if not, write to the Free Software
30 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include <epan/packet.h>
36 #include <epan/conversation.h>
38 #include <epan/emem.h>
39 #include <epan/aftypes.h>
41 #include "packet-smb2.h"
42 #include "packet-dcerpc.h"
43 #include "packet-ntlmssp.h"
44 #include "packet-windows-common.h"
45 #include "packet-smb-common.h"
46 #include "packet-smb.h"
47 #include "packet-dcerpc-nt.h"
49 #include <epan/prefs.h>
52 /* Use libgcrypt for cipher libraries. */
54 #include <wsutil/wsgcrypt.h>
55 #endif /* HAVE_LIBGCRYPT */
57 static char smb_header_label[] = "SMB2 Header";
58 static char smb_transform_header_label[] = "SMB2 Transform Header";
60 static int proto_smb2 = -1;
61 static int hf_smb2_cmd = -1;
62 static int hf_smb2_nt_status = -1;
63 static int hf_smb2_response_to = -1;
64 static int hf_smb2_response_in = -1;
65 static int hf_smb2_time = -1;
66 static int hf_smb2_header_len = -1;
67 static int hf_smb2_seqnum = -1;
68 static int hf_smb2_pid = -1;
69 static int hf_smb2_tid = -1;
70 static int hf_smb2_aid = -1;
71 static int hf_smb2_sesid = -1;
72 static int hf_smb2_previous_sesid = -1;
73 static int hf_smb2_flags_response = -1;
74 static int hf_smb2_flags_async_cmd = -1;
75 static int hf_smb2_flags_dfs_op = -1;
76 static int hf_smb2_flags_chained = -1;
77 static int hf_smb2_flags_signature = -1;
78 static int hf_smb2_flags_replay_operation = -1;
79 static int hf_smb2_chain_offset = -1;
80 static int hf_smb2_security_blob = -1;
81 static int hf_smb2_ioctl_in_data = -1;
82 static int hf_smb2_ioctl_out_data = -1;
83 static int hf_smb2_unknown = -1;
84 static int hf_smb2_twrp_timestamp = -1;
85 static int hf_smb2_mxac_timestamp = -1;
86 static int hf_smb2_mxac_status = -1;
87 static int hf_smb2_qfid_fid = -1;
88 static int hf_smb2_create_timestamp = -1;
89 static int hf_smb2_oplock = -1;
90 static int hf_smb2_close_flags = -1;
91 static int hf_smb2_notify_flags = -1;
92 static int hf_smb2_last_access_timestamp = -1;
93 static int hf_smb2_last_write_timestamp = -1;
94 static int hf_smb2_last_change_timestamp = -1;
95 static int hf_smb2_current_time = -1;
96 static int hf_smb2_boot_time = -1;
97 static int hf_smb2_filename = -1;
98 static int hf_smb2_filename_len = -1;
99 static int hf_smb2_nlinks = -1;
100 static int hf_smb2_delete_pending = -1;
101 static int hf_smb2_is_directory = -1;
102 static int hf_smb2_file_id = -1;
103 static int hf_smb2_allocation_size = -1;
104 static int hf_smb2_end_of_file = -1;
105 static int hf_smb2_tree = -1;
106 static int hf_smb2_find_pattern = -1;
107 static int hf_smb2_find_info_level = -1;
108 static int hf_smb2_find_info_blob = -1;
109 static int hf_smb2_client_guid = -1;
110 static int hf_smb2_server_guid = -1;
111 static int hf_smb2_object_id = -1;
112 static int hf_smb2_birth_volume_id = -1;
113 static int hf_smb2_birth_object_id = -1;
114 static int hf_smb2_domain_id = -1;
115 static int hf_smb2_class = -1;
116 static int hf_smb2_infolevel = -1;
117 static int hf_smb2_infolevel_file_info = -1;
118 static int hf_smb2_infolevel_fs_info = -1;
119 static int hf_smb2_infolevel_sec_info = -1;
120 static int hf_smb2_max_response_size = -1;
121 static int hf_smb2_max_ioctl_in_size = -1;
122 static int hf_smb2_max_ioctl_out_size = -1;
123 static int hf_smb2_required_buffer_size = -1;
124 static int hf_smb2_setinfo_size = -1;
125 static int hf_smb2_setinfo_offset = -1;
126 static int hf_smb2_file_basic_info = -1;
127 static int hf_smb2_file_standard_info = -1;
128 static int hf_smb2_file_internal_info = -1;
129 static int hf_smb2_file_ea_info = -1;
130 static int hf_smb2_file_access_info = -1;
131 static int hf_smb2_file_rename_info = -1;
132 static int hf_smb2_file_disposition_info = -1;
133 static int hf_smb2_file_position_info = -1;
134 static int hf_smb2_file_full_ea_info = -1;
135 static int hf_smb2_file_mode_info = -1;
136 static int hf_smb2_file_alignment_info = -1;
137 static int hf_smb2_file_all_info = -1;
138 static int hf_smb2_file_allocation_info = -1;
139 static int hf_smb2_file_endoffile_info = -1;
140 static int hf_smb2_file_alternate_name_info = -1;
141 static int hf_smb2_file_stream_info = -1;
142 static int hf_smb2_file_pipe_info = -1;
143 static int hf_smb2_file_compression_info = -1;
144 static int hf_smb2_file_network_open_info = -1;
145 static int hf_smb2_file_attribute_tag_info = -1;
146 static int hf_smb2_fs_info_01 = -1;
147 static int hf_smb2_fs_info_03 = -1;
148 static int hf_smb2_fs_info_04 = -1;
149 static int hf_smb2_fs_info_05 = -1;
150 static int hf_smb2_fs_info_06 = -1;
151 static int hf_smb2_fs_info_07 = -1;
152 static int hf_smb2_fs_objectid_info = -1;
153 static int hf_smb2_sec_info_00 = -1;
154 static int hf_smb2_fid = -1;
155 static int hf_smb2_write_length = -1;
156 static int hf_smb2_write_data = -1;
157 static int hf_smb2_write_flags = -1;
158 static int hf_smb2_write_flags_write_through = -1;
159 static int hf_smb2_write_count = -1;
160 static int hf_smb2_write_remaining = -1;
161 static int hf_smb2_read_length = -1;
162 static int hf_smb2_read_remaining = -1;
163 static int hf_smb2_file_offset = -1;
164 static int hf_smb2_read_data = -1;
165 static int hf_smb2_disposition_delete_on_close = -1;
166 static int hf_smb2_create_disposition = -1;
167 static int hf_smb2_create_chain_offset = -1;
168 static int hf_smb2_create_chain_data = -1;
169 static int hf_smb2_data_offset = -1;
170 static int hf_smb2_extrainfo = -1;
171 static int hf_smb2_create_action = -1;
172 static int hf_smb2_create_rep_flags = -1;
173 static int hf_smb2_create_rep_flags_reparse_point = -1;
174 static int hf_smb2_next_offset = -1;
175 static int hf_smb2_ea_size = -1;
176 static int hf_smb2_ea_flags = -1;
177 static int hf_smb2_ea_name_len = -1;
178 static int hf_smb2_ea_data_len = -1;
179 static int hf_smb2_ea_name = -1;
180 static int hf_smb2_ea_data = -1;
181 static int hf_smb2_buffer_code = -1;
182 static int hf_smb2_buffer_code_len = -1;
183 static int hf_smb2_buffer_code_flags_dyn = -1;
184 static int hf_smb2_olb_offset = -1;
185 static int hf_smb2_olb_length = -1;
186 static int hf_smb2_tag = -1;
187 static int hf_smb2_impersonation_level = -1;
188 static int hf_smb2_ioctl_function = -1;
189 static int hf_smb2_ioctl_function_device = -1;
190 static int hf_smb2_ioctl_function_access = -1;
191 static int hf_smb2_ioctl_function_function = -1;
192 static int hf_smb2_ioctl_function_method = -1;
193 static int hf_smb2_ioctl_resiliency_timeout = -1;
194 static int hf_smb2_ioctl_resiliency_reserved = -1;
195 static int hf_windows_sockaddr_family = -1;
196 static int hf_windows_sockaddr_port = -1;
197 static int hf_windows_sockaddr_in_addr = -1;
198 static int hf_windows_sockaddr_in6_flowinfo = -1;
199 static int hf_windows_sockaddr_in6_addr = -1;
200 static int hf_windows_sockaddr_in6_scope_id = -1;
201 static int hf_smb2_ioctl_network_interface_next_offset = -1;
202 static int hf_smb2_ioctl_network_interface_index = -1;
203 static int hf_smb2_ioctl_network_interface_rss_queue_count = -1;
204 static int hf_smb2_ioctl_network_interface_capabilities = -1;
205 static int hf_smb2_ioctl_network_interface_capability_rss = -1;
206 static int hf_smb2_ioctl_network_interface_capability_rdma = -1;
207 static int hf_smb2_ioctl_network_interface_link_speed = -1;
208 static int hf_smb2_ioctl_shadow_copy_num_volumes = -1;
209 static int hf_smb2_ioctl_shadow_copy_num_labels = -1;
210 static int hf_smb2_ioctl_shadow_copy_count = -1;
211 static int hf_smb2_ioctl_shadow_copy_label = -1;
212 static int hf_smb2_compression_format = -1;
213 static int hf_smb2_FILE_OBJECTID_BUFFER = -1;
214 static int hf_smb2_lease_key = -1;
215 static int hf_smb2_lease_state = -1;
216 static int hf_smb2_lease_state_read_caching = -1;
217 static int hf_smb2_lease_state_handle_caching = -1;
218 static int hf_smb2_lease_state_write_caching = -1;
219 static int hf_smb2_lease_flags = -1;
220 static int hf_smb2_lease_flags_break_ack_required = -1;
221 static int hf_smb2_lease_flags_parent_lease_key_set = -1;
222 static int hf_smb2_lease_flags_break_in_progress = -1;
223 static int hf_smb2_lease_duration = -1;
224 static int hf_smb2_parent_lease_key = -1;
225 static int hf_smb2_lease_epoch = -1;
226 static int hf_smb2_lease_break_reason = -1;
227 static int hf_smb2_lease_access_mask_hint = -1;
228 static int hf_smb2_lease_share_mask_hint = -1;
229 static int hf_smb2_acct_name = -1;
230 static int hf_smb2_domain_name = -1;
231 static int hf_smb2_host_name = -1;
232 static int hf_smb2_auth_frame = -1;
233 static int hf_smb2_tcon_frame = -1;
234 static int hf_smb2_share_type = -1;
235 static int hf_smb2_signature = -1;
236 static int hf_smb2_credit_charge = -1;
237 static int hf_smb2_credits_requested = -1;
238 static int hf_smb2_credits_granted = -1;
239 static int hf_smb2_channel_sequence = -1;
240 static int hf_smb2_dialect_count = -1;
241 static int hf_smb2_security_mode = -1;
242 static int hf_smb2_secmode_flags_sign_required = -1;
243 static int hf_smb2_secmode_flags_sign_enabled = -1;
244 static int hf_smb2_ses_req_flags = -1;
245 static int hf_smb2_ses_req_flags_session_binding = -1;
246 static int hf_smb2_capabilities = -1;
247 static int hf_smb2_cap_dfs = -1;
248 static int hf_smb2_cap_leasing = -1;
249 static int hf_smb2_cap_large_mtu = -1;
250 static int hf_smb2_cap_multi_channel = -1;
251 static int hf_smb2_cap_persistent_handles = -1;
252 static int hf_smb2_cap_directory_leasing = -1;
253 static int hf_smb2_cap_encryption = -1;
254 static int hf_smb2_dialect = -1;
255 static int hf_smb2_max_trans_size = -1;
256 static int hf_smb2_max_read_size = -1;
257 static int hf_smb2_max_write_size = -1;
258 static int hf_smb2_channel = -1;
259 static int hf_smb2_session_flags = -1;
260 static int hf_smb2_ses_flags_guest = -1;
261 static int hf_smb2_ses_flags_null = -1;
262 static int hf_smb2_share_flags = -1;
263 static int hf_smb2_share_flags_dfs = -1;
264 static int hf_smb2_share_flags_dfs_root = -1;
265 static int hf_smb2_share_flags_restrict_exclusive_opens = -1;
266 static int hf_smb2_share_flags_force_shared_delete = -1;
267 static int hf_smb2_share_flags_allow_namespace_caching = -1;
268 static int hf_smb2_share_flags_access_based_dir_enum = -1;
269 static int hf_smb2_share_flags_force_levelii_oplock = -1;
270 static int hf_smb2_share_flags_enable_hash_v1 = -1;
271 static int hf_smb2_share_flags_enable_hash_v2 = -1;
272 static int hf_smb2_share_flags_encrypt_data = -1;
273 static int hf_smb2_share_caching = -1;
274 static int hf_smb2_share_caps = -1;
275 static int hf_smb2_share_caps_dfs = -1;
276 static int hf_smb2_share_caps_continuous_availability = -1;
277 static int hf_smb2_share_caps_scaleout = -1;
278 static int hf_smb2_share_caps_cluster = -1;
279 static int hf_smb2_create_flags = -1;
280 static int hf_smb2_lock_count = -1;
281 static int hf_smb2_min_count = -1;
282 static int hf_smb2_remaining_bytes = -1;
283 static int hf_smb2_channel_info_offset = -1;
284 static int hf_smb2_channel_info_length = -1;
285 static int hf_smb2_ioctl_flags = -1;
286 static int hf_smb2_ioctl_is_fsctl = -1;
287 static int hf_smb2_close_pq_attrib = -1;
288 static int hf_smb2_notify_watch_tree = -1;
289 static int hf_smb2_output_buffer_len = -1;
290 static int hf_smb2_notify_out_data = -1;
291 static int hf_smb2_find_flags = -1;
292 static int hf_smb2_find_flags_restart_scans = -1;
293 static int hf_smb2_find_flags_single_entry = -1;
294 static int hf_smb2_find_flags_index_specified = -1;
295 static int hf_smb2_find_flags_reopen = -1;
296 static int hf_smb2_file_index = -1;
297 static int hf_smb2_file_directory_info = -1;
298 static int hf_smb2_both_directory_info = -1;
299 static int hf_smb2_short_name_len = -1;
300 static int hf_smb2_short_name = -1;
301 static int hf_smb2_id_both_directory_info = -1;
302 static int hf_smb2_full_directory_info = -1;
303 static int hf_smb2_lock_info = -1;
304 static int hf_smb2_lock_length = -1;
305 static int hf_smb2_lock_flags = -1;
306 static int hf_smb2_lock_flags_shared = -1;
307 static int hf_smb2_lock_flags_exclusive = -1;
308 static int hf_smb2_lock_flags_unlock = -1;
309 static int hf_smb2_lock_flags_fail_immediately = -1;
310 static int hf_smb2_dhnq_buffer_reserved = -1;
311 static int hf_smb2_dh2x_buffer_timeout = -1;
312 static int hf_smb2_dh2x_buffer_flags = -1;
313 static int hf_smb2_dh2x_buffer_flags_persistent_handle = -1;
314 static int hf_smb2_dh2x_buffer_reserved = -1;
315 static int hf_smb2_dh2x_buffer_create_guid = -1;
316 static int hf_smb2_APP_INSTANCE_buffer_struct_size = -1;
317 static int hf_smb2_APP_INSTANCE_buffer_reserved = -1;
318 static int hf_smb2_APP_INSTANCE_buffer_app_guid = -1;
319 static int hf_smb2_error_byte_count = -1;
320 static int hf_smb2_error_data = -1;
321 static int hf_smb2_error_reserved = -1;
322 static int hf_smb2_reserved = -1;
323 static int hf_smb2_transform_signature = -1;
324 static int hf_smb2_transform_nonce = -1;
325 static int hf_smb2_transform_msg_size = -1;
326 static int hf_smb2_transform_reserved = -1;
327 static int hf_smb2_encryption_aes128_ccm = -1;
328 static int hf_smb2_transform_enc_alg = -1;
329 static int hf_smb2_transform_encrypted_data = -1;
331 static gint ett_smb2 = -1;
332 static gint ett_smb2_olb = -1;
333 static gint ett_smb2_ea = -1;
334 static gint ett_smb2_header = -1;
335 static gint ett_smb2_encrypted = -1;
336 static gint ett_smb2_command = -1;
337 static gint ett_smb2_secblob = -1;
338 static gint ett_smb2_file_basic_info = -1;
339 static gint ett_smb2_file_standard_info = -1;
340 static gint ett_smb2_file_internal_info = -1;
341 static gint ett_smb2_file_ea_info = -1;
342 static gint ett_smb2_file_access_info = -1;
343 static gint ett_smb2_file_position_info = -1;
344 static gint ett_smb2_file_mode_info = -1;
345 static gint ett_smb2_file_alignment_info = -1;
346 static gint ett_smb2_file_all_info = -1;
347 static gint ett_smb2_file_allocation_info = -1;
348 static gint ett_smb2_file_endoffile_info = -1;
349 static gint ett_smb2_file_alternate_name_info = -1;
350 static gint ett_smb2_file_stream_info = -1;
351 static gint ett_smb2_file_pipe_info = -1;
352 static gint ett_smb2_file_compression_info = -1;
353 static gint ett_smb2_file_network_open_info = -1;
354 static gint ett_smb2_file_attribute_tag_info = -1;
355 static gint ett_smb2_file_rename_info = -1;
356 static gint ett_smb2_file_disposition_info = -1;
357 static gint ett_smb2_file_full_ea_info = -1;
358 static gint ett_smb2_fs_info_01 = -1;
359 static gint ett_smb2_fs_info_03 = -1;
360 static gint ett_smb2_fs_info_04 = -1;
361 static gint ett_smb2_fs_info_05 = -1;
362 static gint ett_smb2_fs_info_06 = -1;
363 static gint ett_smb2_fs_info_07 = -1;
364 static gint ett_smb2_fs_objectid_info = -1;
365 static gint ett_smb2_sec_info_00 = -1;
366 static gint ett_smb2_tid_tree = -1;
367 static gint ett_smb2_sesid_tree = -1;
368 static gint ett_smb2_create_chain_element = -1;
369 static gint ett_smb2_MxAc_buffer = -1;
370 static gint ett_smb2_QFid_buffer = -1;
371 static gint ett_smb2_RqLs_buffer = -1;
372 static gint ett_smb2_ioctl_function = -1;
373 static gint ett_smb2_FILE_OBJECTID_BUFFER = -1;
374 static gint ett_smb2_flags = -1;
375 static gint ett_smb2_sec_mode = -1;
376 static gint ett_smb2_capabilities = -1;
377 static gint ett_smb2_ses_req_flags = -1;
378 static gint ett_smb2_ses_flags = -1;
379 static gint ett_smb2_lease_state = -1;
380 static gint ett_smb2_lease_flags = -1;
381 static gint ett_smb2_share_flags = -1;
382 static gint ett_smb2_create_rep_flags = -1;
383 static gint ett_smb2_share_caps = -1;
384 static gint ett_smb2_ioctl_flags = -1;
385 static gint ett_smb2_ioctl_network_interface = -1;
386 static gint ett_windows_sockaddr = -1;
387 static gint ett_smb2_close_flags = -1;
388 static gint ett_smb2_notify_flags = -1;
389 static gint ett_smb2_write_flags = -1;
390 static gint ett_smb2_DH2Q_buffer = -1;
391 static gint ett_smb2_DH2C_buffer = -1;
392 static gint ett_smb2_dh2x_flags = -1;
393 static gint ett_smb2_APP_INSTANCE_buffer = -1;
394 static gint ett_smb2_find_flags = -1;
395 static gint ett_smb2_file_directory_info = -1;
396 static gint ett_smb2_both_directory_info = -1;
397 static gint ett_smb2_id_both_directory_info = -1;
398 static gint ett_smb2_full_directory_info = -1;
399 static gint ett_smb2_file_name_info = -1;
400 static gint ett_smb2_lock_info = -1;
401 static gint ett_smb2_lock_flags = -1;
402 static gint ett_smb2_transform_enc_alg = -1;
403 static gint ett_smb2_buffercode = -1;
405 static int smb2_tap = -1;
406 static int smb2_eo_tap = -1;
408 static dissector_handle_t gssapi_handle = NULL;
409 static dissector_handle_t ntlmssp_handle = NULL;
411 static heur_dissector_list_t smb2_heur_subdissector_list;
413 #define SMB2_CLASS_FILE_INFO 0x01
414 #define SMB2_CLASS_FS_INFO 0x02
415 #define SMB2_CLASS_SEC_INFO 0x03
416 static const value_string smb2_class_vals[] = {
417 { SMB2_CLASS_FILE_INFO, "FILE_INFO"},
418 { SMB2_CLASS_FS_INFO, "FS_INFO"},
419 { SMB2_CLASS_SEC_INFO, "SEC_INFO"},
423 #define SMB2_SHARE_TYPE_DISK 0x01
424 #define SMB2_SHARE_TYPE_PIPE 0x02
425 #define SMB2_SHARE_TYPE_PRINT 0x03
426 static const value_string smb2_share_type_vals[] = {
427 { SMB2_SHARE_TYPE_DISK, "Physical disk" },
428 { SMB2_SHARE_TYPE_PIPE, "Named pipe" },
429 { SMB2_SHARE_TYPE_PRINT, "Printer" },
434 #define SMB2_FILE_BASIC_INFO 0x04
435 #define SMB2_FILE_STANDARD_INFO 0x05
436 #define SMB2_FILE_INTERNAL_INFO 0x06
437 #define SMB2_FILE_EA_INFO 0x07
438 #define SMB2_FILE_ACCESS_INFO 0x08
439 #define SMB2_FILE_RENAME_INFO 0x0a
440 #define SMB2_FILE_DISPOSITION_INFO 0x0d
441 #define SMB2_FILE_POSITION_INFO 0x0e
442 #define SMB2_FILE_FULL_EA_INFO 0x0f
443 #define SMB2_FILE_MODE_INFO 0x10
444 #define SMB2_FILE_ALIGNMENT_INFO 0x11
445 #define SMB2_FILE_ALL_INFO 0x12
446 #define SMB2_FILE_ALLOCATION_INFO 0x13
447 #define SMB2_FILE_ENDOFFILE_INFO 0x14
448 #define SMB2_FILE_ALTERNATE_NAME_INFO 0x15
449 #define SMB2_FILE_STREAM_INFO 0x16
450 #define SMB2_FILE_PIPE_INFO 0x17
451 #define SMB2_FILE_COMPRESSION_INFO 0x1c
452 #define SMB2_FILE_NETWORK_OPEN_INFO 0x22
453 #define SMB2_FILE_ATTRIBUTE_TAG_INFO 0x23
454 static const value_string smb2_file_info_levels[] = {
455 {SMB2_FILE_BASIC_INFO, "SMB2_FILE_BASIC_INFO" },
456 {SMB2_FILE_STANDARD_INFO, "SMB2_FILE_STANDARD_INFO" },
457 {SMB2_FILE_INTERNAL_INFO, "SMB2_FILE_INTERNAL_INFO" },
458 {SMB2_FILE_EA_INFO, "SMB2_FILE_EA_INFO" },
459 {SMB2_FILE_ACCESS_INFO, "SMB2_FILE_ACCESS_INFO" },
460 {SMB2_FILE_RENAME_INFO, "SMB2_FILE_RENAME_INFO" },
461 {SMB2_FILE_DISPOSITION_INFO, "SMB2_FILE_DISPOSITION_INFO" },
462 {SMB2_FILE_POSITION_INFO, "SMB2_FILE_POSITION_INFO" },
463 {SMB2_FILE_FULL_EA_INFO, "SMB2_FILE_FULL_EA_INFO" },
464 {SMB2_FILE_MODE_INFO, "SMB2_FILE_MODE_INFO" },
465 {SMB2_FILE_ALIGNMENT_INFO, "SMB2_FILE_ALIGNMENT_INFO" },
466 {SMB2_FILE_ALL_INFO, "SMB2_FILE_ALL_INFO" },
467 {SMB2_FILE_ALLOCATION_INFO, "SMB2_FILE_ALLOCATION_INFO" },
468 {SMB2_FILE_ENDOFFILE_INFO, "SMB2_FILE_ENDOFFILE_INFO" },
469 {SMB2_FILE_ALTERNATE_NAME_INFO, "SMB2_FILE_ALTERNATE_NAME_INFO" },
470 {SMB2_FILE_STREAM_INFO, "SMB2_FILE_STREAM_INFO" },
471 {SMB2_FILE_PIPE_INFO, "SMB2_FILE_PIPE_INFO" },
472 {SMB2_FILE_COMPRESSION_INFO, "SMB2_FILE_COMPRESSION_INFO" },
473 {SMB2_FILE_NETWORK_OPEN_INFO, "SMB2_FILE_NETWORK_OPEN_INFO" },
474 {SMB2_FILE_ATTRIBUTE_TAG_INFO, "SMB2_FILE_ATTRIBUTE_TAG_INFO" },
480 #define SMB2_FS_INFO_01 0x01
481 #define SMB2_FS_INFO_03 0x03
482 #define SMB2_FS_INFO_04 0x04
483 #define SMB2_FS_INFO_05 0x05
484 #define SMB2_FS_INFO_06 0x06
485 #define SMB2_FS_INFO_07 0x07
486 #define SMB2_FS_OBJECTID_INFO 0x08
487 static const value_string smb2_fs_info_levels[] = {
488 {SMB2_FS_INFO_01, "SMB2_FS_INFO_01" },
489 {SMB2_FS_INFO_03, "SMB2_FS_INFO_03" },
490 {SMB2_FS_INFO_04, "SMB2_FS_INFO_04" },
491 {SMB2_FS_INFO_05, "SMB2_FS_INFO_05" },
492 {SMB2_FS_INFO_06, "SMB2_FS_INFO_06" },
493 {SMB2_FS_INFO_07, "SMB2_FS_INFO_07" },
494 {SMB2_FS_OBJECTID_INFO, "SMB2_FS_OBJECTID_INFO" },
498 #define SMB2_SEC_INFO_00 0x00
499 static const value_string smb2_sec_info_levels[] = {
500 {SMB2_SEC_INFO_00, "SMB2_SEC_INFO_00" },
504 #define SMB2_FIND_DIRECTORY_INFO 0x01
505 #define SMB2_FIND_FULL_DIRECTORY_INFO 0x02
506 #define SMB2_FIND_BOTH_DIRECTORY_INFO 0x03
507 #define SMB2_FIND_INDEX_SPECIFIED 0x04
508 #define SMB2_FIND_NAME_INFO 0x0C
509 #define SMB2_FIND_ID_BOTH_DIRECTORY_INFO 0x25
510 #define SMB2_FIND_ID_FULL_DIRECTORY_INFO 0x26
511 static const value_string smb2_find_info_levels[] = {
512 { SMB2_FIND_DIRECTORY_INFO, "SMB2_FIND_DIRECTORY_INFO" },
513 { SMB2_FIND_FULL_DIRECTORY_INFO, "SMB2_FIND_FULL_DIRECTORY_INFO" },
514 { SMB2_FIND_BOTH_DIRECTORY_INFO, "SMB2_FIND_BOTH_DIRECTORY_INFO" },
515 { SMB2_FIND_INDEX_SPECIFIED, "SMB2_FIND_INDEX_SPECIFIED" },
516 { SMB2_FIND_NAME_INFO, "SMB2_FIND_NAME_INFO" },
517 { SMB2_FIND_ID_BOTH_DIRECTORY_INFO, "SMB2_FIND_ID_BOTH_DIRECTORY_INFO" },
518 { SMB2_FIND_ID_FULL_DIRECTORY_INFO, "SMB2_FIND_ID_FULL_DIRECTORY_INFO" },
522 /* ExportObject preferences variable */
523 gboolean eosmb2_take_name_as_fid = FALSE ;
525 /* unmatched smb_saved_info structures.
526 For unmatched smb_saved_info structures we store the smb_saved_info
527 structure using the SEQNUM field.
530 smb2_saved_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
532 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
533 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
534 return key1->seqnum == key2->seqnum;
537 smb2_saved_info_hash_unmatched(gconstpointer k)
539 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
542 hash = (guint32) (key->seqnum&0xffffffff);
546 /* matched smb_saved_info structures.
547 For matched smb_saved_info structures we store the smb_saved_info
548 structure using the SEQNUM field.
551 smb2_saved_info_equal_matched(gconstpointer k1, gconstpointer k2)
553 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
554 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
555 return key1->seqnum == key2->seqnum;
558 smb2_saved_info_hash_matched(gconstpointer k)
560 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
563 hash = (guint32) (key->seqnum&0xffffffff);
567 /* For Tids of a specific conversation.
568 This keeps track of tid->sharename mappings and other information about the
571 We might need to refine this if it occurs that tids are reused on a single
572 conversation. we dont worry about that yet for simplicity
575 smb2_tid_info_equal(gconstpointer k1, gconstpointer k2)
577 const smb2_tid_info_t *key1 = (const smb2_tid_info_t *)k1;
578 const smb2_tid_info_t *key2 = (const smb2_tid_info_t *)k2;
579 return key1->tid == key2->tid;
582 smb2_tid_info_hash(gconstpointer k)
584 const smb2_tid_info_t *key = (const smb2_tid_info_t *)k;
591 /* For Uids of a specific conversation.
592 This keeps track of uid->acct_name mappings and other information about the
595 We might need to refine this if it occurs that uids are reused on a single
596 conversation. we dont worry about that yet for simplicity
599 smb2_sesid_info_equal(gconstpointer k1, gconstpointer k2)
601 const smb2_sesid_info_t *key1 = (const smb2_sesid_info_t *)k1;
602 const smb2_sesid_info_t *key2 = (const smb2_sesid_info_t *)k2;
603 return key1->sesid == key2->sesid;
606 smb2_sesid_info_hash(gconstpointer k)
608 const smb2_sesid_info_t *key = (const smb2_sesid_info_t *)k;
611 hash = (guint32)( ((key->sesid>>32)&0xffffffff)+((key->sesid)&0xffffffff) );
615 static void smb2_key_derivation(const guint8 *KI _U_, guint32 KI_len _U_,
616 const guint8 *Label _U_, guint32 Label_len _U_,
617 const guint8 *Context _U_, guint32 Context_len _U_,
620 #ifdef HAVE_LIBGCRYPT
621 gcry_md_hd_t hd = NULL;
623 guint8 *digest = NULL;
626 * a simplified version of
627 * "NIST Special Publication 800-108" section 5.1
630 gcry_md_open(&hd, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC);
631 gcry_md_setkey(hd, KI, KI_len);
633 memset(buf, 0, sizeof(buf));
635 gcry_md_write(hd, buf, sizeof(buf));
636 gcry_md_write(hd, Label, Label_len);
637 gcry_md_write(hd, buf, 1);
638 gcry_md_write(hd, Context, Context_len);
640 gcry_md_write(hd, buf, sizeof(buf));
642 digest = gcry_md_read(hd, GCRY_MD_SHA256);
644 memcpy(KO, digest, 16);
652 /* for export-object-smb2 */
653 static gchar *policy_hnd_to_file_id(const e_ctx_hnd *hnd) {
655 file_id = ep_strdup_printf(
656 "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
670 static guint smb2_eo_files_hash(gconstpointer k) {
671 return g_str_hash(policy_hnd_to_file_id((const e_ctx_hnd *)k));
673 static gint smb2_eo_files_equal(gconstpointer k1, gconstpointer k2) {
675 const e_ctx_hnd *key1 = (const e_ctx_hnd *)k1;
676 const e_ctx_hnd *key2 = (const e_ctx_hnd *)k2;
678 are_equal = (key1->uuid.Data1==key2->uuid.Data1 &&
679 key1->uuid.Data2==key2->uuid.Data2 &&
680 key1->uuid.Data3==key2->uuid.Data3 &&
681 key1->uuid.Data4[0]==key2->uuid.Data4[0] &&
682 key1->uuid.Data4[1]==key2->uuid.Data4[1] &&
683 key1->uuid.Data4[2]==key2->uuid.Data4[2] &&
684 key1->uuid.Data4[3]==key2->uuid.Data4[3] &&
685 key1->uuid.Data4[4]==key2->uuid.Data4[4] &&
686 key1->uuid.Data4[5]==key2->uuid.Data4[5] &&
687 key1->uuid.Data4[6]==key2->uuid.Data4[6] &&
688 key1->uuid.Data4[7]==key2->uuid.Data4[7]);
694 feed_eo_smb2(tvbuff_t * tvb,packet_info *pinfo,smb2_info_t * si, guint16 dataoffset,guint32 length, guint64 file_offset) {
696 char *fid_name = NULL;
697 guint32 open_frame = 0, close_frame = 0;
698 tvbuff_t *data_tvb = NULL;
702 gchar **aux_string_v;
704 /* Create a new tvb to point to the payload data */
705 data_tvb = tvb_new_subset(tvb, dataoffset, length, length);
706 /* Create the eo_info to pass to the listener */
707 eo_info = ep_new(smb_eo_t);
708 /* Fill in eo_info */
709 eo_info->smbversion=2;
711 eo_info->cmd=si->opcode;
712 /* We don't keep track of uid in SMB v2 */
715 /* Try to get file id and filename */
716 file_id=policy_hnd_to_file_id(&si->saved->policy_hnd);
717 dcerpc_fetch_polhnd_data(&si->saved->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->fd->num);
718 if (fid_name && g_strcmp0(fid_name,"File: ")!=0) {
720 /* Remove "File: " from filename */
721 if (g_str_has_prefix(auxstring, "File: ")) {
722 aux_string_v = g_strsplit(auxstring, "File: ", -1);
723 eo_info->filename = ep_strdup_printf("\\%s",aux_string_v[g_strv_length(aux_string_v)-1]);
724 g_strfreev(aux_string_v);
726 if (g_str_has_prefix(auxstring, "\\")) {
727 eo_info->filename = ep_strdup(auxstring);
729 eo_info->filename = ep_strdup_printf("\\%s",auxstring);
733 auxstring=ep_strdup_printf("File_Id_%s", file_id);
734 eo_info->filename=auxstring;
739 if (eosmb2_take_name_as_fid) {
740 eo_info->fid = g_str_hash(eo_info->filename);
742 eo_info->fid = g_str_hash(file_id);
745 /* tid, hostname, tree_id */
747 eo_info->tid=si->tree->tid;
748 if (strlen(si->tree->name)>0 && strlen(si->tree->name)<=256) {
749 eo_info->hostname = ep_strdup(si->tree->name);
751 eo_info->hostname = ep_strdup_printf("\\\\%s\\TREEID_%i",tree_ip_str(pinfo,si->opcode),si->tree->tid);
755 eo_info->hostname = ep_strdup_printf("\\\\%s\\TREEID_UNKNOWN",tree_ip_str(pinfo,si->opcode));
759 eo_info->pkt_num = pinfo->fd->num;
762 if (si->eo_file_info->attr_mask & SMB2_FLAGS_ATTR_DIRECTORY) {
763 eo_info->fid_type=SMB2_FID_TYPE_DIR;
765 if (si->eo_file_info->attr_mask &
766 (SMB2_FLAGS_ATTR_ARCHIVE | SMB2_FLAGS_ATTR_NORMAL |
767 SMB2_FLAGS_ATTR_HIDDEN | SMB2_FLAGS_ATTR_READONLY |
768 SMB2_FLAGS_ATTR_SYSTEM) ) {
769 eo_info->fid_type=SMB2_FID_TYPE_FILE;
771 eo_info->fid_type=SMB2_FID_TYPE_OTHER;
776 eo_info->end_of_file=si->eo_file_info->end_of_file;
778 /* data offset and chunk length */
779 eo_info->smb_file_offset=file_offset;
780 eo_info->smb_chunk_len=length;
781 /* XXX is this right? */
782 if (length<si->saved->bytes_moved) {
783 si->saved->file_offset=si->saved->file_offset+length;
784 si->saved->bytes_moved=si->saved->bytes_moved-length;
788 eo_info->payload_len = length;
789 eo_info->payload_data = tvb_get_ptr(data_tvb, 0, length);
791 tap_queue_packet(smb2_eo_tap, pinfo, eo_info);
795 static int dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si);
798 /* This is a helper to dissect the common string type
804 * This function is called twice, first to decode the offset/length and
805 * second time to dissect the actual string.
806 * It is done this way since there is no guarantee that we have the full packet and we dont
807 * want to abort dissection too early if the packet ends somewhere between the
808 * length/offset and the actual buffer.
811 enum offset_length_buffer_offset_size {
812 OLB_O_UINT16_S_UINT16,
813 OLB_O_UINT16_S_UINT32,
814 OLB_O_UINT32_S_UINT32,
815 OLB_S_UINT32_O_UINT32
817 typedef struct _offset_length_buffer_t {
822 enum offset_length_buffer_offset_size offset_size;
824 } offset_length_buffer_t;
826 dissect_smb2_olb_length_offset(tvbuff_t *tvb, int offset, offset_length_buffer_t *olb,
827 enum offset_length_buffer_offset_size offset_size, int hfindex)
829 olb->hfindex = hfindex;
830 olb->offset_size = offset_size;
831 switch (offset_size) {
832 case OLB_O_UINT16_S_UINT16:
833 olb->off = tvb_get_letohs(tvb, offset);
834 olb->off_offset = offset;
836 olb->len = tvb_get_letohs(tvb, offset);
837 olb->len_offset = offset;
840 case OLB_O_UINT16_S_UINT32:
841 olb->off = tvb_get_letohs(tvb, offset);
842 olb->off_offset = offset;
844 olb->len = tvb_get_letohl(tvb, offset);
845 olb->len_offset = offset;
848 case OLB_O_UINT32_S_UINT32:
849 olb->off = tvb_get_letohl(tvb, offset);
850 olb->off_offset = offset;
852 olb->len = tvb_get_letohl(tvb, offset);
853 olb->len_offset = offset;
856 case OLB_S_UINT32_O_UINT32:
857 olb->len = tvb_get_letohl(tvb, offset);
858 olb->len_offset = offset;
860 olb->off = tvb_get_letohl(tvb, offset);
861 olb->off_offset = offset;
869 #define OLB_TYPE_UNICODE_STRING 0x01
870 #define OLB_TYPE_ASCII_STRING 0x02
872 dissect_smb2_olb_string(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, offset_length_buffer_t *olb, int type)
875 proto_item *item = NULL;
876 proto_tree *tree = NULL;
877 const char *name = NULL;
884 bc = tvb_length_remaining(tvb, offset);
888 tvb_ensure_bytes_exist(tvb, off, len);
890 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
891 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
892 "Invalid offset/length. Malformed packet");
894 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
901 case OLB_TYPE_UNICODE_STRING:
902 name = get_unicode_or_ascii_string(tvb, &off,
903 TRUE, &len, TRUE, TRUE, &bc);
908 item = proto_tree_add_string(parent_tree, olb->hfindex, tvb, offset, len, name);
909 tree = proto_item_add_subtree(item, ett_smb2_olb);
912 case OLB_TYPE_ASCII_STRING:
913 name = get_unicode_or_ascii_string(tvb, &off,
914 FALSE, &len, TRUE, TRUE, &bc);
919 item = proto_tree_add_string(parent_tree, olb->hfindex, tvb, offset, len, name);
920 tree = proto_item_add_subtree(item, ett_smb2_olb);
925 switch (olb->offset_size) {
926 case OLB_O_UINT16_S_UINT16:
927 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
928 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
930 case OLB_O_UINT16_S_UINT32:
931 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
932 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
934 case OLB_O_UINT32_S_UINT32:
935 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
936 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
938 case OLB_S_UINT32_O_UINT32:
939 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
940 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
948 dissect_smb2_olb_buffer(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb,
949 offset_length_buffer_t *olb, smb2_info_t *si,
950 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si))
953 proto_item *sub_item = NULL;
954 proto_tree *sub_tree = NULL;
955 tvbuff_t *sub_tvb = NULL;
963 tvb_ensure_bytes_exist(tvb, off, len);
965 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
966 proto_tree_add_text(parent_tree, tvb, offset, tvb_length_remaining(tvb, offset),
967 "Invalid offset/length. Malformed packet");
969 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
974 /* if we dont want/need a subtree */
975 if (olb->hfindex == -1) {
976 sub_item = parent_tree;
977 sub_tree = parent_tree;
980 sub_item = proto_tree_add_item(parent_tree, olb->hfindex, tvb, offset, len, ENC_NA);
981 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_olb);
985 switch (olb->offset_size) {
986 case OLB_O_UINT16_S_UINT16:
987 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
988 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
990 case OLB_O_UINT16_S_UINT32:
991 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
992 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
994 case OLB_O_UINT32_S_UINT32:
995 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
996 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
998 case OLB_S_UINT32_O_UINT32:
999 proto_tree_add_item(sub_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
1000 proto_tree_add_item(sub_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
1004 if (off == 0 || len == 0) {
1005 proto_item_append_text(sub_item, ": NO DATA");
1013 sub_tvb = tvb_new_subset(tvb, off, MIN((int)len, tvb_length_remaining(tvb, off)), len);
1015 dissector(sub_tvb, pinfo, sub_tree, si);
1019 dissect_smb2_olb_tvb_max_offset(int offset, offset_length_buffer_t *olb)
1021 if (olb->off == 0) {
1024 return MAX(offset, (int)(olb->off + olb->len));
1027 typedef struct _smb2_function {
1028 int (*request) (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
1029 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
1032 static const true_false_string tfs_flags_response = {
1033 "This is a RESPONSE",
1037 static const true_false_string tfs_flags_async_cmd = {
1038 "This is an ASYNC command",
1039 "This is a SYNC command"
1042 static const true_false_string tfs_flags_dfs_op = {
1043 "This is a DFS OPERATION",
1044 "This is a normal operation"
1047 static const true_false_string tfs_flags_chained = {
1048 "This pdu a CHAINED command",
1049 "This pdu is NOT a chained command"
1052 static const true_false_string tfs_flags_signature = {
1053 "This pdu is SIGNED",
1054 "This pdu is NOT signed"
1057 static const true_false_string tfs_flags_replay_operation = {
1058 "This is a REPLAY OPEARATION",
1059 "This is NOT a replay operation"
1062 static const true_false_string tfs_cap_dfs = {
1063 "This host supports DFS",
1064 "This host does NOT support DFS"
1067 static const true_false_string tfs_cap_leasing = {
1068 "This host supports LEASING",
1069 "This host does NOT support LEASING"
1072 static const true_false_string tfs_cap_large_mtu = {
1073 "This host supports LARGE_MTU",
1074 "This host does NOT support LARGE_MTU"
1077 static const true_false_string tfs_cap_multi_channel = {
1078 "This host supports MULTI CHANNEL",
1079 "This host does NOT support MULTI CHANNEL"
1082 static const true_false_string tfs_cap_persistent_handles = {
1083 "This host supports PERSISTENT HANDLES",
1084 "This host does NOT support PERSISTENT HANDLES"
1087 static const true_false_string tfs_cap_directory_leasing = {
1088 "This host supports DIRECTORY LEASING",
1089 "This host does NOT support DIRECTORY LEASING"
1092 static const true_false_string tfs_cap_encryption = {
1093 "This host supports ENCRYPTION",
1094 "This host does NOT support ENCRYPTION"
1097 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rss = {
1098 "This interface supports RSS",
1099 "This interface does not support RSS"
1102 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rdma = {
1103 "This interface supports RDMA",
1104 "This interface does not support RDMA"
1107 static const value_string compression_format_vals[] = {
1108 { 0, "COMPRESSION_FORMAT_NONE" },
1109 { 1, "COMPRESSION_FORMAT_DEFAULT" },
1110 { 2, "COMPRESSION_FORMAT_LZNT1" },
1115 static const value_string smb2_ioctl_vals[] = {
1116 /* dissector implemented */
1117 {0x00060194, "FSCTL_DFS_GET_REFERRALS"},
1118 {0x0011C017, "FSCTL_PIPE_TRANSCEIVE"},
1119 {0x001401D4, "FSCTL_LMR_REQUEST_RESILIENCY"},
1120 {0x001401FC, "FSCTL_QUERY_NETWORK_INTERFACE_INFO"},
1121 {0x00140200, "FSCTL_VALIDATE_NEGOTIATE_INFO_224"},
1122 {0x00140204, "FSCTL_VALIDATE_NEGOTIATE_INFO"},
1123 {0x00144064, "FSCTL_GET_SHADOW_COPY_DATA"},
1124 {0x000900C0, "FSCTL_CREATE_OR_GET_OBJECT_ID"},
1125 {0x0009009C, "FSCTL_GET_OBJECT_ID"},
1126 {0x000980A0, "FSCTL_DELETE_OBJECT_ID"}, /* no data in/out */
1127 {0x00098098, "FSCTL_SET_OBJECT_ID"},
1128 {0x000980BC, "FSCTL_SET_OBJECT_ID_EXTENDED"},
1129 {0x0009003C, "FSCTL_GET_COMPRESSION"},
1130 {0x0009C040, "FSCTL_SET_COMPRESSION"},
1132 /* dissector not yet implemented */
1133 {0x001440F2, "FSCTL_SRV_COPYCHUNK"},
1134 {0x00140078, "FSCTL_SRV_REQUEST_RESUME_KEY"},
1135 {0x001441bb, "FSCTL_SRV_READ_HASH"},
1136 {0x001480F2, "FSCTL_SRV_COPYCHUNK_WRITE"},
1137 {0x00090000, "FSCTL_REQUEST_OPLOCK_LEVEL_1"},
1138 {0x00090004, "FSCTL_REQUEST_OPLOCK_LEVEL_2"},
1139 {0x00090008, "FSCTL_REQUEST_BATCH_OPLOCK"},
1140 {0x0009000C, "FSCTL_OPLOCK_BREAK_ACKNOWLEDGE"},
1141 {0x00090010, "FSCTL_OPBATCH_ACK_CLOSE_PENDING"},
1142 {0x00090014, "FSCTL_OPLOCK_BREAK_NOTIFY"},
1143 {0x00090018, "FSCTL_LOCK_VOLUME"},
1144 {0x0009001C, "FSCTL_UNLOCK_VOLUME"},
1145 {0x00090020, "FSCTL_DISMOUNT_VOLUME"},
1146 {0x00090028, "FSCTL_IS_VOLUME_MOUNTED"},
1147 {0x0009002C, "FSCTL_IS_PATHNAME_VALID"},
1148 {0x00090030, "FSCTL_MARK_VOLUME_DIRTY"},
1149 {0x0009003B, "FSCTL_QUERY_RETRIEVAL_POINTERS"},
1150 {0x0009004F, "FSCTL_MARK_AS_SYSTEM_HIVE"},
1151 {0x00090050, "FSCTL_OPLOCK_BREAK_ACK_NO_2"},
1152 {0x00090054, "FSCTL_INVALIDATE_VOLUMES"},
1153 {0x00090058, "FSCTL_QUERY_FAT_BPB"},
1154 {0x0009005C, "FSCTL_REQUEST_FILTER_OPLOCK"},
1155 {0x00090060, "FSCTL_FILESYSTEM_GET_STATISTICS"},
1156 {0x00090064, "FSCTL_GET_NTFS_VOLUME_DATA"},
1157 {0x00090068, "FSCTL_GET_NTFS_FILE_RECORD"},
1158 {0x0009006F, "FSCTL_GET_VOLUME_BITMAP"},
1159 {0x00090073, "FSCTL_GET_RETRIEVAL_POINTERS"},
1160 {0x00090074, "FSCTL_MOVE_FILE"},
1161 {0x00090078, "FSCTL_IS_VOLUME_DIRTY"},
1162 {0x0009007C, "FSCTL_GET_HFS_INFORMATION"},
1163 {0x00090083, "FSCTL_ALLOW_EXTENDED_DASD_IO"},
1164 {0x00090087, "FSCTL_READ_PROPERTY_DATA"},
1165 {0x0009008B, "FSCTL_WRITE_PROPERTY_DATA"},
1166 {0x0009008F, "FSCTL_FIND_FILES_BY_SID"},
1167 {0x00090097, "FSCTL_DUMP_PROPERTY_DATA"},
1168 {0x000980A4, "FSCTL_SET_REPARSE_POINT"},
1169 {0x000900A8, "FSCTL_GET_REPARSE_POINT"},
1170 {0x000980AC, "FSCTL_DELETE_REPARSE_POINT"},
1171 {0x000940B3, "FSCTL_ENUM_USN_DATA"},
1172 {0x000940B7, "FSCTL_SECURITY_ID_CHECK"},
1173 {0x000940BB, "FSCTL_READ_USN_JOURNAL"},
1174 {0x000980C4, "FSCTL_SET_SPARSE"},
1175 {0x000980C8, "FSCTL_SET_ZERO_DATA"},
1176 {0x000940CF, "FSCTL_QUERY_ALLOCATED_RANGES"},
1177 {0x000980D0, "FSCTL_ENABLE_UPGRADE"},
1178 {0x000900D4, "FSCTL_SET_ENCRYPTION"},
1179 {0x000900DB, "FSCTL_ENCRYPTION_FSCTL_IO"},
1180 {0x000900DF, "FSCTL_WRITE_RAW_ENCRYPTED"},
1181 {0x000900E3, "FSCTL_READ_RAW_ENCRYPTED"},
1182 {0x000940E7, "FSCTL_CREATE_USN_JOURNAL"},
1183 {0x000940EB, "FSCTL_READ_FILE_USN_DATA"},
1184 {0x000940EF, "FSCTL_WRITE_USN_CLOSE_RECORD"},
1185 {0x000900F0, "FSCTL_EXTEND_VOLUME"},
1190 static const value_string smb2_ioctl_device_vals[] = {
1192 { 0x0002, "CD_ROM" },
1193 { 0x0003, "CD_ROM_FILE_SYSTEM" },
1194 { 0x0004, "CONTROLLER" },
1195 { 0x0005, "DATALINK" },
1198 { 0x0008, "DISK_FILE_SYSTEM" },
1199 { 0x0009, "FILE_SYSTEM" },
1200 { 0x000a, "INPORT_PORT" },
1201 { 0x000b, "KEYBOARD" },
1202 { 0x000c, "MAILSLOT" },
1203 { 0x000d, "MIDI_IN" },
1204 { 0x000e, "MIDI_OUT" },
1205 { 0x000f, "MOUSE" },
1206 { 0x0010, "MULTI_UNC_PROVIDER" },
1207 { 0x0011, "NAMED_PIPE" },
1208 { 0x0012, "NETWORK" },
1209 { 0x0013, "NETWORK_BROWSER" },
1210 { 0x0014, "NETWORK_FILE_SYSTEM" },
1212 { 0x0016, "PARALLEL_PORT" },
1213 { 0x0017, "PHYSICAL_NETCARD" },
1214 { 0x0018, "PRINTER" },
1215 { 0x0019, "SCANNER" },
1216 { 0x001a, "SERIAL_MOUSE_PORT" },
1217 { 0x001b, "SERIAL_PORT" },
1218 { 0x001c, "SCREEN" },
1219 { 0x001d, "SOUND" },
1220 { 0x001e, "STREAMS" },
1222 { 0x0020, "TAPE_FILE_SYSTEM" },
1223 { 0x0021, "TRANSPORT" },
1224 { 0x0022, "UNKNOWN" },
1225 { 0x0023, "VIDEO" },
1226 { 0x0024, "VIRTUAL_DISK" },
1227 { 0x0025, "WAVE_IN" },
1228 { 0x0026, "WAVE_OUT" },
1229 { 0x0027, "8042_PORT" },
1230 { 0x0028, "NETWORK_REDIRECTOR" },
1231 { 0x0029, "BATTERY" },
1232 { 0x002a, "BUS_EXTENDER" },
1233 { 0x002b, "MODEM" },
1235 { 0x002d, "MASS_STORAGE" },
1238 { 0x0030, "CHANGER" },
1239 { 0x0031, "SMARTCARD" },
1242 { 0x0034, "FULLSCREEN_VIDEO" },
1243 { 0x0035, "DFS_FILE_SYSTEM" },
1244 { 0x0036, "DFS_VOLUME" },
1245 { 0x0037, "SERENUM" },
1246 { 0x0038, "TERMSRV" },
1251 static const value_string smb2_ioctl_access_vals[] = {
1252 { 0x00, "FILE_ANY_ACCESS" },
1253 { 0x01, "FILE_READ_ACCESS" },
1254 { 0x02, "FILE_WRITE_ACCESS" },
1255 { 0x03, "FILE_READ_WRITE_ACCESS" },
1259 static const value_string smb2_ioctl_method_vals[] = {
1260 { 0x00, "METHOD_BUFFERED" },
1261 { 0x01, "METHOD_IN_DIRECT" },
1262 { 0x02, "METHOD_OUT_DIRECT" },
1263 { 0x03, "METHOD_NEITHER" },
1267 /* this is called from both smb and smb2. */
1269 dissect_smb2_ioctl_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, guint32 *ioctlfunc)
1271 proto_item *item = NULL;
1272 proto_tree *tree = NULL;
1273 guint32 ioctl_function;
1276 item = proto_tree_add_item(parent_tree, hf_smb2_ioctl_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1277 tree = proto_item_add_subtree(item, ett_smb2_ioctl_function);
1280 ioctl_function = tvb_get_letohl(tvb, offset);
1282 *ioctlfunc = ioctl_function;
1283 if (ioctl_function) {
1284 const gchar *unknown = "unknown";
1285 const gchar *ioctl_name = val_to_str_const(ioctl_function,
1290 * val_to_str_const() doesn't work with a unknown == NULL
1292 if (ioctl_name == unknown) {
1296 if (check_col(pinfo->cinfo, COL_INFO) && ioctl_name != NULL) {
1298 pinfo->cinfo, COL_INFO, " %s", ioctl_name);
1302 proto_tree_add_item(tree, hf_smb2_ioctl_function_device, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1303 if (check_col(pinfo->cinfo, COL_INFO) && ioctl_name == NULL) {
1305 pinfo->cinfo, COL_INFO, " %s",
1306 val_to_str((ioctl_function>>16)&0xffff, smb2_ioctl_device_vals,
1307 "Unknown (0x%08X)"));
1311 proto_tree_add_item(tree, hf_smb2_ioctl_function_access, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1314 proto_tree_add_item(tree, hf_smb2_ioctl_function_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1315 if (check_col(pinfo->cinfo, COL_INFO) && ioctl_name == NULL) {
1317 pinfo->cinfo, COL_INFO, " Function:0x%04x",
1318 (ioctl_function>>2)&0x0fff);
1322 proto_tree_add_item(tree, hf_smb2_ioctl_function_method, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1330 /* fake the dce/rpc support structures so we can piggy back on
1331 * dissect_nt_policy_hnd() since this will allow us
1332 * a cheap way to track where FIDs are opened, closed
1333 * and fid->filename mappings
1334 * if we want to do those things in the future.
1336 #define FID_MODE_OPEN 0
1337 #define FID_MODE_CLOSE 1
1338 #define FID_MODE_USE 2
1339 #define FID_MODE_DHNQ 3
1340 #define FID_MODE_DHNC 4
1342 dissect_smb2_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si, int mode)
1344 guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
1345 static dcerpc_info di; /* fake dcerpc_info struct */
1346 static dcerpc_call_value call_data;
1347 void *old_private_data;
1348 e_ctx_hnd policy_hnd;
1349 e_ctx_hnd *policy_hnd_hashtablekey;
1350 proto_item *hnd_item = NULL;
1352 guint32 open_frame = 0, close_frame = 0;
1353 smb2_eo_file_info_t *eo_file_info;
1355 di.conformant_run = 0;
1356 /* we need di->call_data->flags.NDR64 == 0 */
1357 di.call_data = &call_data;
1358 old_private_data = pinfo->private_data;
1359 pinfo->private_data = &di;
1363 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, drep, hf_smb2_fid, &policy_hnd, &hnd_item, TRUE, FALSE);
1364 if (!pinfo->fd->flags.visited) {
1365 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
1366 fid_name = se_strdup_printf("File: %s", (char *)si->saved->extra_info);
1368 fid_name = se_strdup_printf("File: ");
1370 dcerpc_store_polhnd_name(&policy_hnd, pinfo,
1373 /* If needed, create the file entry and save the policy hnd */
1374 if (si->saved) { si->saved->policy_hnd = policy_hnd; }
1377 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&policy_hnd);
1378 if (!eo_file_info) {
1379 eo_file_info = se_new(smb2_eo_file_info_t);
1380 policy_hnd_hashtablekey = se_new(e_ctx_hnd);
1381 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
1382 eo_file_info->end_of_file=0;
1383 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
1385 si->eo_file_info=eo_file_info;
1389 case FID_MODE_CLOSE:
1390 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, drep, hf_smb2_fid, &policy_hnd, &hnd_item, FALSE, TRUE);
1395 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, drep, hf_smb2_fid, &policy_hnd, &hnd_item, FALSE, FALSE);
1399 pinfo->private_data = old_private_data;
1402 if (dcerpc_fetch_polhnd_data(&policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->fd->num)) {
1403 /* put the filename in col_info */
1406 proto_item_append_text(hnd_item, " %s", fid_name);
1408 if (check_col(pinfo->cinfo, COL_INFO)) {
1409 col_append_fstr(pinfo->cinfo, COL_INFO, " %s", fid_name);
1413 /* look for the eo_file_info */
1414 if (!si->eo_file_info) {
1415 if (si->saved) { si->saved->policy_hnd = policy_hnd; }
1417 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&policy_hnd);
1419 si->eo_file_info=eo_file_info;
1420 } else { /* XXX This should never happen */
1421 eo_file_info = se_alloc(sizeof(smb2_eo_file_info_t));
1422 policy_hnd_hashtablekey = se_alloc(sizeof(e_ctx_hnd));
1423 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
1424 eo_file_info->end_of_file=0;
1425 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
1436 /* this info level is unique to SMB2 and differst from the corresponding
1437 * SMB_FILE_ALL_INFO in SMB
1440 dissect_smb2_file_all_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1442 proto_item *item = NULL;
1443 proto_tree *tree = NULL;
1445 const char *name = "";
1449 item = proto_tree_add_item(parent_tree, hf_smb2_file_all_info, tvb, offset, -1, ENC_NA);
1450 tree = proto_item_add_subtree(item, ett_smb2_file_all_info);
1454 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
1457 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
1460 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
1463 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
1465 /* File Attributes */
1466 offset = dissect_file_ext_attr(tvb, tree, offset);
1468 /* some unknown bytes */
1469 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
1472 /* allocation size */
1473 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1477 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1480 /* number of links */
1481 proto_tree_add_item(tree, hf_smb2_nlinks, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1484 /* delete pending */
1485 proto_tree_add_item(tree, hf_smb2_delete_pending, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1489 proto_tree_add_item(tree, hf_smb2_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1496 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1500 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1504 offset = dissect_smb_access_mask(tvb, tree, offset);
1506 /* some unknown bytes */
1507 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
1510 /* file name length */
1511 length = tvb_get_letohs(tvb, offset);
1512 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1515 /* some unknown bytes */
1516 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
1521 bc = tvb_length_remaining(tvb, offset);
1522 name = get_unicode_or_ascii_string(tvb, &offset,
1523 TRUE, &length, TRUE, TRUE, &bc);
1525 proto_tree_add_string(tree, hf_smb2_filename, tvb,
1526 offset, length, name);
1538 dissect_smb2_file_allocation_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1540 proto_item *item = NULL;
1541 proto_tree *tree = NULL;
1546 item = proto_tree_add_item(parent_tree, hf_smb2_file_allocation_info, tvb, offset, -1, ENC_NA);
1547 tree = proto_item_add_subtree(item, ett_smb2_file_allocation_info);
1550 bc = tvb_length_remaining(tvb, offset);
1551 offset = dissect_qsfi_SMB_FILE_ALLOCATION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1557 dissect_smb2_file_endoffile_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1559 proto_item *item = NULL;
1560 proto_tree *tree = NULL;
1565 item = proto_tree_add_item(parent_tree, hf_smb2_file_endoffile_info, tvb, offset, -1, ENC_NA);
1566 tree = proto_item_add_subtree(item, ett_smb2_file_endoffile_info);
1569 bc = tvb_length_remaining(tvb, offset);
1570 offset = dissect_qsfi_SMB_FILE_ENDOFFILE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1576 dissect_smb2_file_alternate_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1578 proto_item *item = NULL;
1579 proto_tree *tree = NULL;
1584 item = proto_tree_add_item(parent_tree, hf_smb2_file_alternate_name_info, tvb, offset, -1, ENC_NA);
1585 tree = proto_item_add_subtree(item, ett_smb2_file_alternate_name_info);
1588 bc = tvb_length_remaining(tvb, offset);
1589 offset = dissect_qfi_SMB_FILE_NAME_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1596 dissect_smb2_file_basic_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1598 proto_item *item = NULL;
1599 proto_tree *tree = NULL;
1602 item = proto_tree_add_item(parent_tree, hf_smb2_file_basic_info, tvb, offset, -1, ENC_NA);
1603 tree = proto_item_add_subtree(item, ett_smb2_file_basic_info);
1607 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
1610 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
1613 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
1616 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
1618 /* File Attributes */
1619 offset = dissect_file_ext_attr(tvb, tree, offset);
1621 /* some unknown bytes */
1622 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
1629 dissect_smb2_file_standard_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1631 proto_item *item = NULL;
1632 proto_tree *tree = NULL;
1637 item = proto_tree_add_item(parent_tree, hf_smb2_file_standard_info, tvb, offset, -1, ENC_NA);
1638 tree = proto_item_add_subtree(item, ett_smb2_file_standard_info);
1641 bc = tvb_length_remaining(tvb, offset);
1642 offset = dissect_qfi_SMB_FILE_STANDARD_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1647 dissect_smb2_file_internal_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1649 proto_item *item = NULL;
1650 proto_tree *tree = NULL;
1655 item = proto_tree_add_item(parent_tree, hf_smb2_file_internal_info, tvb, offset, -1, ENC_NA);
1656 tree = proto_item_add_subtree(item, ett_smb2_file_internal_info);
1659 bc = tvb_length_remaining(tvb, offset);
1660 offset = dissect_qfi_SMB_FILE_INTERNAL_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1665 dissect_smb2_file_mode_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1667 proto_item *item = NULL;
1668 proto_tree *tree = NULL;
1673 item = proto_tree_add_item(parent_tree, hf_smb2_file_mode_info, tvb, offset, -1, ENC_NA);
1674 tree = proto_item_add_subtree(item, ett_smb2_file_mode_info);
1677 bc = tvb_length_remaining(tvb, offset);
1678 offset = dissect_qsfi_SMB_FILE_MODE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1683 dissect_smb2_file_alignment_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1685 proto_item *item = NULL;
1686 proto_tree *tree = NULL;
1691 item = proto_tree_add_item(parent_tree, hf_smb2_file_alignment_info, tvb, offset, -1, ENC_NA);
1692 tree = proto_item_add_subtree(item, ett_smb2_file_alignment_info);
1695 bc = tvb_length_remaining(tvb, offset);
1696 offset = dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1701 dissect_smb2_file_position_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1703 proto_item *item = NULL;
1704 proto_tree *tree = NULL;
1709 item = proto_tree_add_item(parent_tree, hf_smb2_file_position_info, tvb, offset, -1, ENC_NA);
1710 tree = proto_item_add_subtree(item, ett_smb2_file_position_info);
1713 bc = tvb_length_remaining(tvb, offset);
1714 offset = dissect_qsfi_SMB_FILE_POSITION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1720 dissect_smb2_file_access_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1722 proto_item *item = NULL;
1723 proto_tree *tree = NULL;
1726 item = proto_tree_add_item(parent_tree, hf_smb2_file_access_info, tvb, offset, -1, ENC_NA);
1727 tree = proto_item_add_subtree(item, ett_smb2_file_access_info);
1731 offset = dissect_smb_access_mask(tvb, tree, offset);
1737 dissect_smb2_file_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1739 proto_item *item = NULL;
1740 proto_tree *tree = NULL;
1745 item = proto_tree_add_item(parent_tree, hf_smb2_file_ea_info, tvb, offset, -1, ENC_NA);
1746 tree = proto_item_add_subtree(item, ett_smb2_file_ea_info);
1749 bc = tvb_length_remaining(tvb, offset);
1750 offset = dissect_qfi_SMB_FILE_EA_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1756 dissect_smb2_file_stream_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1758 proto_item *item = NULL;
1759 proto_tree *tree = NULL;
1764 item = proto_tree_add_item(parent_tree, hf_smb2_file_stream_info, tvb, offset, -1, ENC_NA);
1765 tree = proto_item_add_subtree(item, ett_smb2_file_stream_info);
1768 bc = tvb_length_remaining(tvb, offset);
1769 offset = dissect_qfi_SMB_FILE_STREAM_INFO(tvb, pinfo, tree, offset, &bc, &trunc, TRUE);
1775 dissect_smb2_file_pipe_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1777 proto_item *item = NULL;
1778 proto_tree *tree = NULL;
1783 item = proto_tree_add_item(parent_tree, hf_smb2_file_pipe_info, tvb, offset, -1, ENC_NA);
1784 tree = proto_item_add_subtree(item, ett_smb2_file_pipe_info);
1787 bc = tvb_length_remaining(tvb, offset);
1788 offset = dissect_sfi_SMB_FILE_PIPE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1794 dissect_smb2_file_compression_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1796 proto_item *item = NULL;
1797 proto_tree *tree = NULL;
1802 item = proto_tree_add_item(parent_tree, hf_smb2_file_compression_info, tvb, offset, -1, ENC_NA);
1803 tree = proto_item_add_subtree(item, ett_smb2_file_compression_info);
1806 bc = tvb_length_remaining(tvb, offset);
1807 offset = dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1813 dissect_smb2_file_network_open_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1815 proto_item *item = NULL;
1816 proto_tree *tree = NULL;
1821 item = proto_tree_add_item(parent_tree, hf_smb2_file_network_open_info, tvb, offset, -1, ENC_NA);
1822 tree = proto_item_add_subtree(item, ett_smb2_file_network_open_info);
1826 bc = tvb_length_remaining(tvb, offset);
1827 offset = dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1833 dissect_smb2_file_attribute_tag_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1835 proto_item *item = NULL;
1836 proto_tree *tree = NULL;
1841 item = proto_tree_add_item(parent_tree, hf_smb2_file_attribute_tag_info, tvb, offset, -1, ENC_NA);
1842 tree = proto_item_add_subtree(item, ett_smb2_file_attribute_tag_info);
1846 bc = tvb_length_remaining(tvb, offset);
1847 offset = dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
1852 static const true_false_string tfs_disposition_delete_on_close = {
1853 "DELETE this file when closed",
1854 "Normal access, do not delete on close"
1858 dissect_smb2_file_disposition_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1860 proto_item *item = NULL;
1861 proto_tree *tree = NULL;
1864 item = proto_tree_add_item(parent_tree, hf_smb2_file_disposition_info, tvb, offset, -1, ENC_NA);
1865 tree = proto_item_add_subtree(item, ett_smb2_file_disposition_info);
1868 /* file disposition */
1869 proto_tree_add_item(tree, hf_smb2_disposition_delete_on_close, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1875 dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1877 proto_item *item = NULL;
1878 proto_tree *tree = NULL;
1879 guint32 next_offset;
1881 guint16 ea_data_len;
1884 item = proto_tree_add_item(parent_tree, hf_smb2_file_full_ea_info, tvb, offset, -1, ENC_NA);
1885 tree = proto_item_add_subtree(item, ett_smb2_file_full_ea_info);
1890 const char *name = "";
1891 const char *data = "";
1893 int start_offset = offset;
1894 proto_item *ea_item = NULL;
1895 proto_tree *ea_tree = NULL;
1898 ea_item = proto_tree_add_text(tree, tvb, offset, -1, "EA:");
1899 ea_tree = proto_item_add_subtree(ea_item, ett_smb2_ea);
1903 next_offset = tvb_get_letohl(tvb, offset);
1904 proto_tree_add_item(ea_tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1908 proto_tree_add_item(ea_tree, hf_smb2_ea_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1911 /* EA Name Length */
1912 ea_name_len = tvb_get_guint8(tvb, offset);
1913 proto_tree_add_item(ea_tree, hf_smb2_ea_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1916 /* EA Data Length */
1917 ea_data_len = tvb_get_letohs(tvb, offset);
1918 proto_tree_add_item(ea_tree, hf_smb2_ea_data_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1922 length = ea_name_len;
1924 bc = tvb_length_remaining(tvb, offset);
1925 name = get_unicode_or_ascii_string(tvb, &offset,
1926 FALSE, &length, TRUE, TRUE, &bc);
1928 proto_tree_add_string(ea_tree, hf_smb2_ea_name, tvb,
1929 offset, length + 1, name);
1933 /* The name is terminated with a NULL */
1934 offset += ea_name_len + 1;
1937 length = ea_data_len;
1939 bc = tvb_length_remaining(tvb, offset);
1940 data = get_unicode_or_ascii_string(tvb, &offset,
1941 FALSE, &length, TRUE, TRUE, &bc);
1943 * We put the data here ...
1945 proto_tree_add_item(ea_tree, hf_smb2_ea_data, tvb,
1946 offset, length, ENC_NA);
1948 offset += ea_data_len;
1952 proto_item_append_text(ea_item, " %s := %s", name, data);
1954 proto_item_set_len(ea_item, offset-start_offset);
1961 offset = start_offset+next_offset;
1968 dissect_smb2_file_rename_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
1970 proto_item *item = NULL;
1971 proto_tree *tree = NULL;
1973 const char *name = "";
1978 item = proto_tree_add_item(parent_tree, hf_smb2_file_rename_info, tvb, offset, -1, ENC_NA);
1979 tree = proto_item_add_subtree(item, ett_smb2_file_rename_info);
1982 /* some unknown bytes */
1983 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
1986 /* file name length */
1987 length = tvb_get_letohs(tvb, offset);
1988 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1991 /* some unknown bytes */
1992 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
1997 bc = tvb_length_remaining(tvb, offset);
1998 name = get_unicode_or_ascii_string(tvb, &offset,
1999 TRUE, &length, TRUE, TRUE, &bc);
2001 proto_tree_add_string(tree, hf_smb2_filename, tvb,
2002 offset, length, name);
2005 if (check_col(pinfo->cinfo, COL_INFO)) {
2006 col_append_fstr(pinfo->cinfo, COL_INFO, " NewName:%s",
2012 /* some unknown bytes */
2013 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
2020 dissect_smb2_sec_info_00(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2022 proto_item *item = NULL;
2023 proto_tree *tree = NULL;
2026 item = proto_tree_add_item(parent_tree, hf_smb2_sec_info_00, tvb, offset, -1, ENC_NA);
2027 tree = proto_item_add_subtree(item, ett_smb2_sec_info_00);
2030 /* security descriptor */
2031 offset = dissect_nt_sec_desc(tvb, offset, pinfo, tree, NULL, TRUE, tvb_length_remaining(tvb, offset), NULL);
2037 dissect_smb2_fs_info_05(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2039 proto_item *item = NULL;
2040 proto_tree *tree = NULL;
2044 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_05, tvb, offset, -1, ENC_NA);
2045 tree = proto_item_add_subtree(item, ett_smb2_fs_info_05);
2048 bc = tvb_length_remaining(tvb, offset);
2049 offset = dissect_qfsi_FS_ATTRIBUTE_INFO(tvb, pinfo, tree, offset, &bc, TRUE);
2055 dissect_smb2_fs_info_06(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2057 proto_item *item = NULL;
2058 proto_tree *tree = NULL;
2062 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_06, tvb, offset, -1, ENC_NA);
2063 tree = proto_item_add_subtree(item, ett_smb2_fs_info_06);
2066 bc = tvb_length_remaining(tvb, offset);
2067 offset = dissect_nt_quota(tvb, tree, offset, &bc);
2073 dissect_smb2_FS_OBJECTID_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2075 proto_item *item = NULL;
2076 proto_tree *tree = NULL;
2079 item = proto_tree_add_item(parent_tree, hf_smb2_fs_objectid_info, tvb, offset, -1, ENC_NA);
2080 tree = proto_item_add_subtree(item, ett_smb2_fs_objectid_info);
2083 /* FILE_OBJECTID_BUFFER */
2084 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
2090 dissect_smb2_fs_info_07(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2092 proto_item *item = NULL;
2093 proto_tree *tree = NULL;
2097 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_07, tvb, offset, -1, ENC_NA);
2098 tree = proto_item_add_subtree(item, ett_smb2_fs_info_07);
2101 bc = tvb_length_remaining(tvb, offset);
2102 offset = dissect_qfsi_FS_FULL_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
2108 dissect_smb2_fs_info_01(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2110 proto_item *item = NULL;
2111 proto_tree *tree = NULL;
2115 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_01, tvb, offset, -1, ENC_NA);
2116 tree = proto_item_add_subtree(item, ett_smb2_fs_info_01);
2120 bc = tvb_length_remaining(tvb, offset);
2121 offset = dissect_qfsi_FS_VOLUME_INFO(tvb, pinfo, tree, offset, &bc, TRUE);
2127 dissect_smb2_fs_info_03(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2129 proto_item *item = NULL;
2130 proto_tree *tree = NULL;
2134 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_03, tvb, offset, -1, ENC_NA);
2135 tree = proto_item_add_subtree(item, ett_smb2_fs_info_03);
2139 bc = tvb_length_remaining(tvb, offset);
2140 offset = dissect_qfsi_FS_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
2146 dissect_smb2_fs_info_04(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2148 proto_item *item = NULL;
2149 proto_tree *tree = NULL;
2153 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_04, tvb, offset, -1, ENC_NA);
2154 tree = proto_item_add_subtree(item, ett_smb2_fs_info_04);
2158 bc = tvb_length_remaining(tvb, offset);
2159 offset = dissect_qfsi_FS_DEVICE_INFO(tvb, pinfo, tree, offset, &bc);
2164 static const value_string oplock_vals[] = {
2165 { 0x00, "No oplock" },
2166 { 0x01, "Level2 oplock" },
2167 { 0x08, "Exclusive oplock" },
2168 { 0x09, "Batch oplock" },
2174 dissect_smb2_oplock(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2176 proto_tree_add_item(parent_tree, hf_smb2_oplock, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2183 dissect_smb2_buffercode(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint16 *length)
2187 guint16 buffer_code;
2189 /* dissect the first 2 bytes of the command PDU */
2190 buffer_code = tvb_get_letohs(tvb, offset);
2191 item = proto_tree_add_uint(parent_tree, hf_smb2_buffer_code, tvb, offset, 2, buffer_code);
2192 tree = proto_item_add_subtree(item, ett_smb2_buffercode);
2193 proto_tree_add_uint_format(tree, hf_smb2_buffer_code_len, tvb, offset, 2,
2194 buffer_code&0xfffe, "%s: %u",
2195 decode_numeric_bitfield(buffer_code, 0xfffe, 16, "Fixed Part Length"),
2196 buffer_code&0xfffe);
2197 proto_tree_add_item(tree, hf_smb2_buffer_code_flags_dyn, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2201 *length = buffer_code&0xfffe;
2207 #define NEGPROT_CAP_DFS 0x00000001
2208 #define NEGPROT_CAP_LEASING 0x00000002
2209 #define NEGPROT_CAP_LARGE_MTU 0x00000004
2210 #define NEGPROT_CAP_MULTI_CHANNEL 0x00000008
2211 #define NEGPROT_CAP_PERSISTENT_HANDLES 0x00000010
2212 #define NEGPROT_CAP_DIRECTORY_LEASING 0x00000020
2213 #define NEGPROT_CAP_ENCRYPTION 0x00000040
2215 dissect_smb2_capabilities(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2218 proto_item *item = NULL;
2219 proto_tree *tree = NULL;
2221 cap = tvb_get_letohl(tvb, offset);
2223 item = proto_tree_add_item(parent_tree, hf_smb2_capabilities, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2224 tree = proto_item_add_subtree(item, ett_smb2_capabilities);
2227 proto_tree_add_boolean(tree, hf_smb2_cap_dfs, tvb, offset, 4, cap);
2228 proto_tree_add_boolean(tree, hf_smb2_cap_leasing, tvb, offset, 4, cap);
2229 proto_tree_add_boolean(tree, hf_smb2_cap_large_mtu, tvb, offset, 4, cap);
2230 proto_tree_add_boolean(tree, hf_smb2_cap_multi_channel, tvb, offset, 4, cap);
2231 proto_tree_add_boolean(tree, hf_smb2_cap_persistent_handles, tvb, offset, 4, cap);
2232 proto_tree_add_boolean(tree, hf_smb2_cap_directory_leasing, tvb, offset, 4, cap);
2233 proto_tree_add_boolean(tree, hf_smb2_cap_encryption, tvb, offset, 4, cap);
2242 #define NEGPROT_SIGN_REQ 0x0002
2243 #define NEGPROT_SIGN_ENABLED 0x0001
2246 dissect_smb2_secmode(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2249 proto_item *item = NULL;
2250 proto_tree *tree = NULL;
2252 sm = tvb_get_guint8(tvb, offset);
2254 item = proto_tree_add_item(parent_tree, hf_smb2_security_mode, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2255 tree = proto_item_add_subtree(item, ett_smb2_sec_mode);
2258 proto_tree_add_boolean(tree, hf_smb2_secmode_flags_sign_required, tvb, offset, 1, sm);
2259 proto_tree_add_boolean(tree, hf_smb2_secmode_flags_sign_enabled, tvb, offset, 1, sm);
2267 #define SES_REQ_FLAGS_SESSION_BINDING 0x01
2270 dissect_smb2_ses_req_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2273 proto_item *item = NULL;
2274 proto_tree *tree = NULL;
2276 sf = tvb_get_guint8(tvb, offset);
2278 item = proto_tree_add_item(parent_tree, hf_smb2_ses_req_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2279 tree = proto_item_add_subtree(item, ett_smb2_ses_req_flags);
2281 proto_tree_add_boolean(tree, hf_smb2_ses_req_flags_session_binding, tvb, offset, 1, sf);
2288 #define SES_FLAGS_GUEST 0x0001
2289 #define SES_FLAGS_NULL 0x0002
2292 dissect_smb2_ses_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2295 proto_item *item = NULL;
2296 proto_tree *tree = NULL;
2298 sf = tvb_get_letohs(tvb, offset);
2300 item = proto_tree_add_item(parent_tree, hf_smb2_session_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2301 tree = proto_item_add_subtree(item, ett_smb2_ses_flags);
2304 proto_tree_add_boolean(tree, hf_smb2_ses_flags_null, tvb, offset, 2, sf);
2305 proto_tree_add_boolean(tree, hf_smb2_ses_flags_guest, tvb, offset, 2, sf);
2313 #define SHARE_FLAGS_manual_caching 0x00000000
2314 #define SHARE_FLAGS_auto_caching 0x00000010
2315 #define SHARE_FLAGS_vdo_caching 0x00000020
2316 #define SHARE_FLAGS_no_caching 0x00000030
2318 static const value_string share_cache_vals[] = {
2319 { SHARE_FLAGS_manual_caching, "Manual caching" },
2320 { SHARE_FLAGS_auto_caching, "Auto caching" },
2321 { SHARE_FLAGS_vdo_caching, "VDO caching" },
2322 { SHARE_FLAGS_no_caching, "No caching" },
2326 #define SHARE_FLAGS_dfs 0x00000001
2327 #define SHARE_FLAGS_dfs_root 0x00000002
2328 #define SHARE_FLAGS_restrict_exclusive_opens 0x00000100
2329 #define SHARE_FLAGS_force_shared_delete 0x00000200
2330 #define SHARE_FLAGS_allow_namespace_caching 0x00000400
2331 #define SHARE_FLAGS_access_based_dir_enum 0x00000800
2332 #define SHARE_FLAGS_force_levelii_oplock 0x00001000
2333 #define SHARE_FLAGS_enable_hash_v1 0x00002000
2334 #define SHARE_FLAGS_enable_hash_v2 0x00004000
2335 #define SHARE_FLAGS_encryption_required 0x00008000
2338 dissect_smb2_share_flags(proto_tree *tree, tvbuff_t *tvb, int offset)
2340 static const int *sf_fields[] = {
2341 &hf_smb2_share_flags_dfs,
2342 &hf_smb2_share_flags_dfs_root,
2343 &hf_smb2_share_flags_restrict_exclusive_opens,
2344 &hf_smb2_share_flags_force_shared_delete,
2345 &hf_smb2_share_flags_allow_namespace_caching,
2346 &hf_smb2_share_flags_access_based_dir_enum,
2347 &hf_smb2_share_flags_force_levelii_oplock,
2348 &hf_smb2_share_flags_enable_hash_v1,
2349 &hf_smb2_share_flags_enable_hash_v2,
2350 &hf_smb2_share_flags_encrypt_data,
2356 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_flags, ett_smb2_share_flags, sf_fields, ENC_LITTLE_ENDIAN);
2358 cp = tvb_get_letohl(tvb, offset);
2360 proto_tree_add_uint_format(item, hf_smb2_share_caching, tvb, offset, 4, cp, "Caching policy: %s (%08x)", val_to_str(cp, share_cache_vals, "Unknown:%u"), cp);
2368 #define SHARE_CAPS_DFS 0x00000008
2369 #define SHARE_CAPS_CONTINUOUS_AVAILABILITY 0x00000010
2370 #define SHARE_CAPS_SCALEOUT 0x00000020
2371 #define SHARE_CAPS_CLUSTER 0x00000040
2374 dissect_smb2_share_caps(proto_tree *tree, tvbuff_t *tvb, int offset)
2376 static const int *sc_fields[] = {
2377 &hf_smb2_share_caps_dfs,
2378 &hf_smb2_share_caps_continuous_availability,
2379 &hf_smb2_share_caps_scaleout,
2380 &hf_smb2_share_caps_cluster,
2384 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_caps, ett_smb2_share_caps, sc_fields, ENC_LITTLE_ENDIAN);
2392 dissect_smb2_secblob(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
2394 if ((tvb_length(tvb)>=7)
2395 && (!tvb_memeql(tvb, 0, "NTLMSSP", 7))) {
2396 call_dissector(ntlmssp_handle, tvb, pinfo, tree);
2398 call_dissector(gssapi_handle, tvb, pinfo, tree);
2403 dissect_smb2_session_setup_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
2405 offset_length_buffer_t s_olb;
2406 const ntlmssp_header_t *ntlmssph;
2407 static int ntlmssp_tap_id = 0;
2410 if (!ntlmssp_tap_id) {
2411 GString *error_string;
2412 /* We dont specify any callbacks at all.
2413 * Instead we manually fetch the tapped data after the
2414 * security blob has been fully dissected and before
2415 * we exit from this dissector.
2417 error_string = register_tap_listener("ntlmssp", NULL, NULL,
2418 TL_IS_DISSECTOR_HELPER, NULL, NULL, NULL);
2419 if (!error_string) {
2420 ntlmssp_tap_id = find_tap_id("ntlmssp");
2422 g_string_free(error_string, TRUE);
2428 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2429 /* some unknown bytes */
2432 offset = dissect_smb2_ses_req_flags(tree, tvb, offset);
2435 offset = dissect_smb2_secmode(tree, tvb, offset);
2438 offset = dissect_smb2_capabilities(tree, tvb, offset);
2441 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2444 /* security blob offset/length */
2445 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
2447 /* previous session id */
2448 proto_tree_add_item(tree, hf_smb2_previous_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2452 /* the security blob itself */
2453 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
2455 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
2457 /* If we have found a uid->acct_name mapping, store it */
2458 if (!pinfo->fd->flags.visited) {
2460 while ((ntlmssph = fetch_tapped_data(ntlmssp_tap_id, idx++)) != NULL) {
2461 if (ntlmssph && ntlmssph->type == NTLMSSP_AUTH) {
2462 static const gint8 zeros[NTLMSSP_KEY_LEN];
2463 smb2_sesid_info_t *sesid;
2464 sesid = se_new(smb2_sesid_info_t);
2465 sesid->sesid = si->sesid;
2466 sesid->acct_name = se_strdup(ntlmssph->acct_name);
2467 sesid->domain_name = se_strdup(ntlmssph->domain_name);
2468 sesid->host_name = se_strdup(ntlmssph->host_name);
2469 if (memcmp(ntlmssph->session_key, zeros, NTLMSSP_KEY_LEN) != 0) {
2470 smb2_key_derivation(ntlmssph->session_key,
2474 sesid->server_decryption_key);
2475 smb2_key_derivation(ntlmssph->session_key,
2479 sesid->client_decryption_key);
2481 memset(sesid->server_decryption_key, 0,
2482 sizeof(sesid->server_decryption_key));
2483 memset(sesid->client_decryption_key, 0,
2484 sizeof(sesid->client_decryption_key));
2486 sesid->server_port = pinfo->destport;
2487 sesid->auth_frame = pinfo->fd->num;
2488 sesid->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
2489 g_hash_table_insert(si->conv->sesids, sesid, sesid);
2498 dissect_smb2_error_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2503 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2506 /* Reserved (2 bytes) */
2507 proto_tree_add_item(tree, hf_smb2_error_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2510 /* ByteCount (4 bytes): The number of bytes of data contained in ErrorData[]. */
2511 byte_count = tvb_get_ntohl(tvb, offset);
2512 proto_tree_add_item(tree, hf_smb2_error_byte_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2515 /* If the ByteCount field is zero then the server MUST supply an ErrorData field
2516 that is one byte in length */
2517 if (byte_count == 0) byte_count = 1;
2519 /* ErrorData (variable): A variable-length data field that contains extended
2520 error information.*/
2521 proto_tree_add_item(tree, hf_smb2_error_data, tvb, offset, byte_count, ENC_NA);
2522 offset += byte_count;
2528 dissect_smb2_session_setup_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
2530 offset_length_buffer_t s_olb;
2532 /* session_setup is special and we don't use dissect_smb2_error_response() here! */
2535 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2538 offset = dissect_smb2_ses_flags(tree, tvb, offset);
2540 /* security blob offset/length */
2541 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
2543 /* the security blob itself */
2544 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
2546 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
2552 dissect_smb2_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
2554 offset_length_buffer_t olb;
2558 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2563 /* tree offset/length */
2564 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_tree);
2567 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
2569 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
2571 /* treelen +1 is overkill here if the string is unicode,
2572 * but who ever has more than a handful of TCON in a trace anyways
2574 if (!pinfo->fd->flags.visited && si->saved && buf && olb.len) {
2575 si->saved->extra_info_type = SMB2_EI_TREENAME;
2576 si->saved->extra_info = se_alloc(olb.len+1);
2577 g_snprintf((char *)si->saved->extra_info,olb.len+1,"%s",buf);
2580 if (check_col(pinfo->cinfo, COL_INFO)) {
2581 col_append_fstr(pinfo->cinfo, COL_INFO, " Tree: %s", buf);
2588 dissect_smb2_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
2592 switch (si->status) {
2593 case 0x00000000: break;
2594 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2598 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2601 share_type = tvb_get_letohs(tvb, offset);
2602 proto_tree_add_item(tree, hf_smb2_share_type, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2603 /* Next byte is reserved and must be set to zero */
2606 if (!pinfo->fd->flags.visited && si->saved && si->saved->extra_info_type == SMB2_EI_TREENAME && si->session) {
2607 smb2_tid_info_t *tid, tid_key;
2609 tid_key.tid = si->tid;
2610 tid = (smb2_tid_info_t *)g_hash_table_lookup(si->session->tids, &tid_key);
2612 g_hash_table_remove(si->session->tids, &tid_key);
2614 tid = se_new(smb2_tid_info_t);
2616 tid->name = (char *)si->saved->extra_info;
2617 tid->connect_frame = pinfo->fd->num;
2618 tid->share_type = share_type;
2620 g_hash_table_insert(si->session->tids, tid, tid);
2622 si->saved->extra_info_type = SMB2_EI_NONE;
2623 si->saved->extra_info = NULL;
2627 offset = dissect_smb2_share_flags(tree, tvb, offset);
2629 /* share capabilities */
2630 offset = dissect_smb2_share_caps(tree, tvb, offset);
2632 /* this is some sort of access mask */
2633 offset = dissect_smb_access_mask(tvb, tree, offset);
2639 dissect_smb2_tree_disconnect_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2642 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2651 dissect_smb2_tree_disconnect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2653 switch (si->status) {
2654 case 0x00000000: break;
2655 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2659 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2668 dissect_smb2_sessionlogoff_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2671 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2673 /* reserved bytes */
2680 dissect_smb2_sessionlogoff_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2682 switch (si->status) {
2683 case 0x00000000: break;
2684 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2688 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2690 /* reserved bytes */
2697 dissect_smb2_keepalive_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2700 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2702 /* some unknown bytes */
2703 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
2710 dissect_smb2_keepalive_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
2712 switch (si->status) {
2713 case 0x00000000: break;
2714 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2718 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2720 /* some unknown bytes */
2721 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
2728 dissect_smb2_notify_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
2730 proto_tree *flags_tree = NULL;
2731 proto_item *flags_item = NULL;
2734 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2738 flags_item = proto_tree_add_item(tree, hf_smb2_notify_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2739 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_notify_flags);
2741 proto_tree_add_item(flags_tree, hf_smb2_notify_watch_tree, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2744 /* output buffer length */
2745 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2749 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
2751 /* completion filter */
2752 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
2761 dissect_smb2_notify_data_out(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
2763 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_length(tvb), ENC_NA);
2767 dissect_smb2_notify_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
2769 offset_length_buffer_t olb;
2771 switch (si->status) {
2772 case 0x00000000: break;
2773 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
2777 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2779 /* out buffer offset/length */
2780 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_notify_out_data);
2783 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_notify_data_out);
2784 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
2789 #define SMB2_FIND_FLAG_RESTART_SCANS 0x01
2790 #define SMB2_FIND_FLAG_SINGLE_ENTRY 0x02
2791 #define SMB2_FIND_FLAG_INDEX_SPECIFIED 0x04
2792 #define SMB2_FIND_FLAG_REOPEN 0x10
2795 dissect_smb2_find_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
2797 offset_length_buffer_t olb;
2800 static const int *f_fields[] = {
2801 &hf_smb2_find_flags_restart_scans,
2802 &hf_smb2_find_flags_single_entry,
2803 &hf_smb2_find_flags_index_specified,
2804 &hf_smb2_find_flags_reopen,
2809 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
2811 il = tvb_get_guint8(tvb, offset);
2813 si->saved->infolevel = il;
2817 proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 1, il);
2821 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_find_flags, ett_smb2_find_flags, f_fields, ENC_LITTLE_ENDIAN);
2825 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2829 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
2831 /* search pattern offset/length */
2832 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_find_pattern);
2834 /* output buffer length */
2835 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2838 /* search pattern */
2839 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
2841 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
2843 if (!pinfo->fd->flags.visited && si->saved && olb.len) {
2844 si->saved->extra_info_type = SMB2_EI_FINDPATTERN;
2845 si->saved->extra_info = g_malloc(olb.len+1);
2846 g_snprintf((char *)si->saved->extra_info,olb.len+1,"%s",buf);
2849 if (check_col(pinfo->cinfo, COL_INFO)) {
2850 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
2851 val_to_str(il, smb2_find_info_levels, "(Level:0x%02x)"),
2858 static void dissect_smb2_file_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
2861 proto_item *item = NULL;
2862 proto_tree *tree = NULL;
2863 const char *name = NULL;
2866 while (tvb_length_remaining(tvb, offset) > 4) {
2867 int old_offset = offset;
2872 item = proto_tree_add_item(parent_tree, hf_smb2_file_directory_info, tvb, offset, -1, ENC_NA);
2873 tree = proto_item_add_subtree(item, ett_smb2_file_directory_info);
2877 next_offset = tvb_get_letohl(tvb, offset);
2878 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2882 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2886 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
2889 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
2892 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
2895 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
2898 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2901 /* allocation size */
2902 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2905 /* File Attributes */
2906 offset = dissect_file_ext_attr(tvb, tree, offset);
2908 /* file name length */
2909 file_name_len = tvb_get_letohl(tvb, offset);
2910 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2914 if (file_name_len) {
2916 name = get_unicode_or_ascii_string(tvb, &offset,
2917 TRUE, &file_name_len, TRUE, TRUE, &bc);
2919 proto_tree_add_string(tree, hf_smb2_filename, tvb,
2920 offset, file_name_len, name);
2921 proto_item_append_text(item, ": %s", name);
2926 proto_item_set_len(item, offset-old_offset);
2928 if (next_offset == 0) {
2932 offset = old_offset+next_offset;
2933 if (offset < old_offset) {
2934 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
2935 "Invalid offset/length. Malformed packet");
2941 static void dissect_smb2_full_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
2944 proto_item *item = NULL;
2945 proto_tree *tree = NULL;
2946 const char *name = NULL;
2949 while (tvb_length_remaining(tvb, offset) > 4) {
2950 int old_offset = offset;
2955 item = proto_tree_add_item(parent_tree, hf_smb2_full_directory_info, tvb, offset, -1, ENC_NA);
2956 tree = proto_item_add_subtree(item, ett_smb2_full_directory_info);
2960 next_offset = tvb_get_letohl(tvb, offset);
2961 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2965 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2969 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
2972 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
2975 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
2978 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
2981 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2984 /* allocation size */
2985 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2988 /* File Attributes */
2989 offset = dissect_file_ext_attr(tvb, tree, offset);
2991 /* file name length */
2992 file_name_len = tvb_get_letohl(tvb, offset);
2993 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2997 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3001 if (file_name_len) {
3003 name = get_unicode_or_ascii_string(tvb, &offset,
3004 TRUE, &file_name_len, TRUE, TRUE, &bc);
3006 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3007 offset, file_name_len, name);
3008 proto_item_append_text(item, ": %s", name);
3013 proto_item_set_len(item, offset-old_offset);
3015 if (next_offset == 0) {
3019 offset = old_offset+next_offset;
3020 if (offset < old_offset) {
3021 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
3022 "Invalid offset/length. Malformed packet");
3028 static void dissect_smb2_both_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3031 proto_item *item = NULL;
3032 proto_tree *tree = NULL;
3033 const char *name = NULL;
3036 while (tvb_length_remaining(tvb, offset) > 4) {
3037 int old_offset = offset;
3043 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
3044 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
3048 next_offset = tvb_get_letohl(tvb, offset);
3049 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3053 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3057 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3060 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3063 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3066 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3069 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3072 /* allocation size */
3073 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3076 /* File Attributes */
3077 offset = dissect_file_ext_attr(tvb, tree, offset);
3079 /* file name length */
3080 file_name_len = tvb_get_letohl(tvb, offset);
3081 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3085 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3088 /* short name length */
3089 short_name_len = tvb_get_guint8(tvb, offset);
3090 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3097 if (short_name_len) {
3098 bc = short_name_len;
3099 name = get_unicode_or_ascii_string(tvb, &offset,
3100 TRUE, &short_name_len, TRUE, TRUE, &bc);
3102 proto_tree_add_string(tree, hf_smb2_short_name, tvb,
3103 offset, short_name_len, name);
3109 if (file_name_len) {
3111 name = get_unicode_or_ascii_string(tvb, &offset,
3112 TRUE, &file_name_len, TRUE, TRUE, &bc);
3114 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3115 offset, file_name_len, name);
3116 proto_item_append_text(item, ": %s", name);
3121 proto_item_set_len(item, offset-old_offset);
3123 if (next_offset == 0) {
3127 offset = old_offset+next_offset;
3128 if (offset < old_offset) {
3129 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
3130 "Invalid offset/length. Malformed packet");
3136 static void dissect_smb2_file_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3139 proto_item *item = NULL;
3140 proto_tree *tree = NULL;
3141 const char *name = NULL;
3144 while (tvb_length_remaining(tvb, offset) > 4) {
3145 int old_offset = offset;
3150 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
3151 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
3155 next_offset = tvb_get_letohl(tvb, offset);
3156 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3160 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3163 /* file name length */
3164 file_name_len = tvb_get_letohl(tvb, offset);
3165 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3169 if (file_name_len) {
3171 name = get_unicode_or_ascii_string(tvb, &offset,
3172 TRUE, &file_name_len, TRUE, TRUE, &bc);
3174 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3175 offset, file_name_len, name);
3176 proto_item_append_text(item, ": %s", name);
3181 proto_item_set_len(item, offset-old_offset);
3183 if (next_offset == 0) {
3187 offset = old_offset+next_offset;
3188 if (offset < old_offset) {
3189 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
3190 "Invalid offset/length. Malformed packet");
3196 static void dissect_smb2_id_both_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
3199 proto_item *item = NULL;
3200 proto_tree *tree = NULL;
3201 const char *name = NULL;
3204 while (tvb_length_remaining(tvb, offset) > 4) {
3205 int old_offset = offset;
3211 item = proto_tree_add_item(parent_tree, hf_smb2_id_both_directory_info, tvb, offset, -1, ENC_NA);
3212 tree = proto_item_add_subtree(item, ett_smb2_id_both_directory_info);
3216 next_offset = tvb_get_letohl(tvb, offset);
3217 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3221 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3225 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3228 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3231 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3234 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3237 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3240 /* allocation size */
3241 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3244 /* File Attributes */
3245 offset = dissect_file_ext_attr(tvb, tree, offset);
3247 /* file name length */
3248 file_name_len = tvb_get_letohl(tvb, offset);
3249 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3253 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3256 /* short name length */
3257 short_name_len = tvb_get_guint8(tvb, offset);
3258 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3265 if (short_name_len) {
3266 bc = short_name_len;
3267 name = get_unicode_or_ascii_string(tvb, &offset,
3268 TRUE, &short_name_len, TRUE, TRUE, &bc);
3270 proto_tree_add_string(tree, hf_smb2_short_name, tvb,
3271 offset, short_name_len, name);
3280 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3284 if (file_name_len) {
3286 name = get_unicode_or_ascii_string(tvb, &offset,
3287 TRUE, &file_name_len, TRUE, TRUE, &bc);
3289 proto_tree_add_string(tree, hf_smb2_filename, tvb,
3290 offset, file_name_len, name);
3291 proto_item_append_text(item, ": %s", name);
3296 proto_item_set_len(item, offset-old_offset);
3298 if (next_offset == 0) {
3302 offset = old_offset+next_offset;
3303 if (offset < old_offset) {
3304 proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset),
3305 "Invalid offset/length. Malformed packet");
3312 typedef struct _smb2_find_dissector_t {
3314 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
3315 } smb2_find_dissector_t;
3317 smb2_find_dissector_t smb2_find_dissectors[] = {
3318 {SMB2_FIND_DIRECTORY_INFO, dissect_smb2_file_directory_info},
3319 {SMB2_FIND_FULL_DIRECTORY_INFO, dissect_smb2_full_directory_info},
3320 {SMB2_FIND_BOTH_DIRECTORY_INFO, dissect_smb2_both_directory_info},
3321 {SMB2_FIND_NAME_INFO, dissect_smb2_file_name_info},
3322 {SMB2_FIND_ID_BOTH_DIRECTORY_INFO,dissect_smb2_id_both_directory_info},
3327 dissect_smb2_find_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
3329 smb2_find_dissector_t *dis = smb2_find_dissectors;
3331 while (dis->dissector) {
3332 if (si && si->saved && si->saved) {
3333 if (dis->level ==si->saved->infolevel) {
3334 dis->dissector(tvb, pinfo, tree, si);
3341 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_length(tvb), ENC_NA);
3345 dissect_smb2_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3347 offset_length_buffer_t olb;
3348 proto_item *item = NULL;
3352 item = proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 0, si->saved->infolevel);
3353 PROTO_ITEM_SET_GENERATED(item);
3356 if (!pinfo->fd->flags.visited && si->saved && si->saved->extra_info_type == SMB2_EI_FINDPATTERN) {
3357 if (check_col(pinfo->cinfo, COL_INFO)) {
3358 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
3359 val_to_str(si->saved->infolevel, smb2_find_info_levels, "(Level:0x%02x)"),
3360 (const char *)si->saved->extra_info);
3363 g_free(si->saved->extra_info);
3364 si->saved->extra_info_type = SMB2_EI_NONE;
3365 si->saved->extra_info = NULL;
3368 switch (si->status) {
3369 case 0x00000000: break;
3370 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3374 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3376 /* findinfo offset */
3377 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_find_info_blob);
3380 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_find_data);
3382 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
3388 dissect_smb2_negotiate_protocol_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3393 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3396 dc = tvb_get_letohs(tvb, offset);
3397 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3400 /* security mode, skip second byte */
3401 offset = dissect_smb2_secmode(tree, tvb, offset);
3409 offset = dissect_smb2_capabilities(tree, tvb, offset);
3412 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
3415 /* client boot time */
3416 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_boot_time);
3419 for ( ; dc>0; dc--) {
3420 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3428 dissect_smb2_negotiate_protocol_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
3430 offset_length_buffer_t s_olb;
3432 switch (si->status) {
3433 case 0x00000000: break;
3434 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3438 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3440 /* security mode, skip second byte */
3441 offset = dissect_smb2_secmode(tree, tvb, offset);
3444 /* dialect picked */
3445 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3452 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
3456 offset = dissect_smb2_capabilities(tree, tvb, offset);
3458 /* max trans size */
3459 proto_tree_add_item(tree, hf_smb2_max_trans_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3463 proto_tree_add_item(tree, hf_smb2_max_read_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3466 /* max write size */
3467 proto_tree_add_item(tree, hf_smb2_max_write_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3471 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_current_time);
3475 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_boot_time);
3478 /* security blob offset/length */
3479 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
3481 /* the security blob itself */
3482 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
3487 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
3493 dissect_smb2_getinfo_parameters(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
3495 switch (si->saved->class) {
3496 case SMB2_CLASS_FILE_INFO:
3497 switch (si->saved->infolevel) {
3499 /* we dont handle this infolevel yet */
3500 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3501 offset += tvb_length_remaining(tvb, offset);
3504 case SMB2_CLASS_FS_INFO:
3505 switch (si->saved->infolevel) {
3507 /* we dont handle this infolevel yet */
3508 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3509 offset += tvb_length_remaining(tvb, offset);
3512 case SMB2_CLASS_SEC_INFO:
3513 switch (si->saved->infolevel) {
3514 case SMB2_SEC_INFO_00:
3515 dissect_security_information_mask(tvb, tree, offset+8);
3518 /* we dont handle this infolevel yet */
3519 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3520 offset += tvb_length_remaining(tvb, offset);
3524 /* we dont handle this class yet */
3525 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3526 offset += tvb_length_remaining(tvb, offset);
3533 dissect_smb2_class_infolevel(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, smb2_info_t *si)
3538 static const value_string dummy_value_string[] = {
3541 const value_string *vs;
3543 if (si->flags & SMB2_FLAGS_RESPONSE) {
3547 cl = si->saved->class;
3548 il = si->saved->infolevel;
3550 cl = tvb_get_guint8(tvb, offset);
3551 il = tvb_get_guint8(tvb, offset+1);
3553 si->saved->class = cl;
3554 si->saved->infolevel = il;
3560 case SMB2_CLASS_FILE_INFO:
3561 hfindex = hf_smb2_infolevel_file_info;
3562 vs = smb2_file_info_levels;
3564 case SMB2_CLASS_FS_INFO:
3565 hfindex = hf_smb2_infolevel_fs_info;
3566 vs = smb2_fs_info_levels;
3568 case SMB2_CLASS_SEC_INFO:
3569 hfindex = hf_smb2_infolevel_sec_info;
3570 vs = smb2_sec_info_levels;
3573 hfindex = hf_smb2_infolevel;
3574 vs = dummy_value_string;
3579 item = proto_tree_add_uint(tree, hf_smb2_class, tvb, offset, 1, cl);
3580 if (si->flags & SMB2_FLAGS_RESPONSE) {
3581 PROTO_ITEM_SET_GENERATED(item);
3584 item = proto_tree_add_uint(tree, hfindex, tvb, offset+1, 1, il);
3585 if (si->flags & SMB2_FLAGS_RESPONSE) {
3586 PROTO_ITEM_SET_GENERATED(item);
3590 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
3591 /* Only update COL_INFO for requests. It clutters the
3592 * display ab bit too much if we do it for replies
3595 if (check_col(pinfo->cinfo, COL_INFO)) {
3596 col_append_fstr(pinfo->cinfo, COL_INFO, " %s/%s",
3597 val_to_str(cl, smb2_class_vals, "(Class:0x%02x)"),
3598 val_to_str(il, vs, "(Level:0x%02x)"));
3606 dissect_smb2_getinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3609 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3611 /* class and info level */
3612 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
3614 /* max response size */
3615 proto_tree_add_item(tree, hf_smb2_max_response_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3620 dissect_smb2_getinfo_parameters(tvb, pinfo, tree, offset, si);
3622 /* some unknown bytes */
3623 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 16, ENC_NA);
3628 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3634 dissect_smb2_infolevel(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si, guint8 class, guint8 infolevel)
3636 int old_offset = offset;
3639 case SMB2_CLASS_FILE_INFO:
3640 switch (infolevel) {
3641 case SMB2_FILE_BASIC_INFO:
3642 offset = dissect_smb2_file_basic_info(tvb, pinfo, tree, offset, si);
3644 case SMB2_FILE_STANDARD_INFO:
3645 offset = dissect_smb2_file_standard_info(tvb, pinfo, tree, offset, si);
3647 case SMB2_FILE_INTERNAL_INFO:
3648 offset = dissect_smb2_file_internal_info(tvb, pinfo, tree, offset, si);
3650 case SMB2_FILE_EA_INFO:
3651 offset = dissect_smb2_file_ea_info(tvb, pinfo, tree, offset, si);
3653 case SMB2_FILE_ACCESS_INFO:
3654 offset = dissect_smb2_file_access_info(tvb, pinfo, tree, offset, si);
3656 case SMB2_FILE_RENAME_INFO:
3657 offset = dissect_smb2_file_rename_info(tvb, pinfo, tree, offset, si);
3659 case SMB2_FILE_DISPOSITION_INFO:
3660 offset = dissect_smb2_file_disposition_info(tvb, pinfo, tree, offset, si);
3662 case SMB2_FILE_POSITION_INFO:
3663 offset = dissect_smb2_file_position_info(tvb, pinfo, tree, offset, si);
3665 case SMB2_FILE_FULL_EA_INFO:
3666 offset = dissect_smb2_file_full_ea_info(tvb, pinfo, tree, offset, si);
3668 case SMB2_FILE_MODE_INFO:
3669 offset = dissect_smb2_file_mode_info(tvb, pinfo, tree, offset, si);
3671 case SMB2_FILE_ALIGNMENT_INFO:
3672 offset = dissect_smb2_file_alignment_info(tvb, pinfo, tree, offset, si);
3674 case SMB2_FILE_ALL_INFO:
3675 offset = dissect_smb2_file_all_info(tvb, pinfo, tree, offset, si);
3677 case SMB2_FILE_ALLOCATION_INFO:
3678 offset = dissect_smb2_file_allocation_info(tvb, pinfo, tree, offset, si);
3680 case SMB2_FILE_ENDOFFILE_INFO:
3681 dissect_smb2_file_endoffile_info(tvb, pinfo, tree, offset, si);
3683 case SMB2_FILE_ALTERNATE_NAME_INFO:
3684 offset = dissect_smb2_file_alternate_name_info(tvb, pinfo, tree, offset, si);
3686 case SMB2_FILE_STREAM_INFO:
3687 offset = dissect_smb2_file_stream_info(tvb, pinfo, tree, offset, si);
3689 case SMB2_FILE_PIPE_INFO:
3690 offset = dissect_smb2_file_pipe_info(tvb, pinfo, tree, offset, si);
3692 case SMB2_FILE_COMPRESSION_INFO:
3693 offset = dissect_smb2_file_compression_info(tvb, pinfo, tree, offset, si);
3695 case SMB2_FILE_NETWORK_OPEN_INFO:
3696 offset = dissect_smb2_file_network_open_info(tvb, pinfo, tree, offset, si);
3698 case SMB2_FILE_ATTRIBUTE_TAG_INFO:
3699 offset = dissect_smb2_file_attribute_tag_info(tvb, pinfo, tree, offset, si);
3702 /* we dont handle this infolevel yet */
3703 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
3704 offset += tvb_length_remaining(tvb, offset);
3707 case SMB2_CLASS_FS_INFO:
3708 switch (infolevel) {
3709 case SMB2_FS_INFO_01:
3710 offset = dissect_smb2_fs_info_01(tvb, pinfo, tree, offset, si);
3712 case SMB2_FS_INFO_03:
3713 offset = dissect_smb2_fs_info_03(tvb, pinfo, tree, offset, si);
3715 case SMB2_FS_INFO_04:
3716 offset = dissect_smb2_fs_info_04(tvb, pinfo, tree, offset, si);
3718 case SMB2_FS_INFO_05:
3719 offset = dissect_smb2_fs_info_05(tvb, pinfo, tree, offset, si);
3721 case SMB2_FS_INFO_06:
3722 offset = dissect_smb2_fs_info_06(tvb, pinfo, tree, offset, si);
3724 case SMB2_FS_INFO_07:
3725 offset = dissect_smb2_fs_info_07(tvb, pinfo, tree, offset, si);
3727 case SMB2_FS_OBJECTID_INFO:
3728 offset = dissect_smb2_FS_OBJECTID_INFO(tvb, pinfo, tree, offset, si);
3731 /* we dont handle this infolevel yet */
3732 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
3733 offset += tvb_length_remaining(tvb, offset);
3736 case SMB2_CLASS_SEC_INFO:
3737 switch (infolevel) {
3738 case SMB2_SEC_INFO_00:
3739 offset = dissect_smb2_sec_info_00(tvb, pinfo, tree, offset, si);
3742 /* we dont handle this infolevel yet */
3743 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
3744 offset += tvb_length_remaining(tvb, offset);
3748 /* we dont handle this class yet */
3749 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
3750 offset += tvb_length_remaining(tvb, offset);
3753 /* if we get BUFFER_OVERFLOW there will be truncated data */
3754 if (si->status == 0x80000005) {
3756 item = proto_tree_add_text(tree, tvb, old_offset, 0, "Truncated...");
3757 PROTO_ITEM_SET_GENERATED(item);
3763 dissect_smb2_getinfo_response_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
3767 dissect_smb2_infolevel(tvb, pinfo, tree, 0, si, si->saved->class, si->saved->infolevel);
3769 /* some unknown bytes */
3770 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_length(tvb), ENC_NA);
3777 dissect_smb2_getinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3779 offset_length_buffer_t olb;
3781 /* class/infolevel */
3782 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
3784 switch (si->status) {
3785 case 0x00000000: break;
3786 /* if we get BUFFER_OVERFLOW there will be truncated data */
3787 case 0x80000005: break;
3788 /* if we get BUFFER_TOO_SMALL there will not be any data there, only
3789 * a guin32 specifying how big the buffer needs to be
3792 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3793 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
3794 proto_tree_add_item(tree, hf_smb2_required_buffer_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3798 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3803 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3804 /* response buffer offset and size */
3805 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
3808 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_getinfo_response_data);
3814 dissect_smb2_close_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3816 proto_tree *flags_tree = NULL;
3817 proto_item *flags_item = NULL;
3820 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3824 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3825 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
3827 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3834 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_CLOSE);
3840 dissect_smb2_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3842 proto_tree *flags_tree = NULL;
3843 proto_item *flags_item = NULL;
3845 switch (si->status) {
3846 case 0x00000000: break;
3847 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3851 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3855 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3856 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
3858 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3865 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
3868 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
3871 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
3874 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
3876 /* allocation size */
3877 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3881 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3884 /* File Attributes */
3885 offset = dissect_file_ext_attr(tvb, tree, offset);
3891 dissect_smb2_flush_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3894 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3896 /* some unknown bytes */
3897 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 6, ENC_NA);
3901 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3907 dissect_smb2_flush_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3909 switch (si->status) {
3910 case 0x00000000: break;
3911 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3915 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3917 /* some unknown bytes */
3918 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
3926 dissect_smb2_lock_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3931 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3934 lock_count = tvb_get_letohs(tvb, offset);
3935 proto_tree_add_item(tree, hf_smb2_lock_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3942 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
3944 while (lock_count--) {
3945 proto_item *lock_item = NULL;
3946 proto_tree *lock_tree = NULL;
3947 static const int *lf_fields[] = {
3948 &hf_smb2_lock_flags_shared,
3949 &hf_smb2_lock_flags_exclusive,
3950 &hf_smb2_lock_flags_unlock,
3951 &hf_smb2_lock_flags_fail_immediately,
3956 lock_item = proto_tree_add_item(tree, hf_smb2_lock_info, tvb, offset, 24, ENC_NA);
3957 lock_tree = proto_item_add_subtree(lock_item, ett_smb2_lock_info);
3961 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3965 proto_tree_add_item(lock_tree, hf_smb2_lock_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3969 proto_tree_add_bitmask(lock_tree, tvb, offset, hf_smb2_lock_flags, ett_smb2_lock_flags, lf_fields, ENC_LITTLE_ENDIAN);
3980 dissect_smb2_lock_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
3982 switch (si->status) {
3983 case 0x00000000: break;
3984 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
3988 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3990 /* some unknown bytes */
3991 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
3997 dissect_smb2_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4000 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4002 /* some unknown bytes */
4003 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4011 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, guint32 datalen, proto_tree *top_tree)
4013 tvbuff_t *dcerpc_tvb;
4014 dcerpc_tvb = tvb_new_subset(tvb, offset, MIN((int)datalen, tvb_length_remaining(tvb, offset)), datalen);
4016 /* dissect the full PDU */
4017 dissector_try_heuristic(smb2_heur_subdissector_list, dcerpc_tvb, pinfo, top_tree, NULL);
4025 #define SMB2_WRITE_FLAG_WRITE_THROUGH 0x00000001
4028 dissect_smb2_write_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4030 guint16 dataoffset = 0;
4031 guint32 data_tvb_len;
4034 static const int *f_fields[] = {
4035 &hf_smb2_write_flags_write_through,
4040 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4043 dataoffset=tvb_get_letohl(tvb,offset);
4044 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4048 length = tvb_get_letohl(tvb, offset);
4049 proto_tree_add_item(tree, hf_smb2_write_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4053 off = tvb_get_letoh64(tvb, offset);
4054 if (si->saved) si->saved->file_offset=off;
4055 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4058 if (check_col(pinfo->cinfo, COL_INFO)) {
4059 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" G_GINT64_MODIFIER "u", length, off);
4063 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4066 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4069 /* remaining bytes */
4070 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4073 /* write channel info offset */
4074 proto_tree_add_item(tree, hf_smb2_channel_info_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4077 /* write channel info length */
4078 proto_tree_add_item(tree, hf_smb2_channel_info_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4082 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_write_flags, ett_smb2_write_flags, f_fields, ENC_LITTLE_ENDIAN);
4085 /* data or dcerpc ?*/
4086 if (length && si->tree && si->tree->share_type == SMB2_SHARE_TYPE_PIPE) {
4087 offset = dissect_file_data_dcerpc(tvb, pinfo, tree, offset, length, si->top_tree);
4091 /* just ordinary data */
4092 proto_tree_add_item(tree, hf_smb2_write_data, tvb, offset, length, ENC_NA);
4094 data_tvb_len=(guint32)tvb_length_remaining(tvb, offset);
4096 offset += MIN(length,(guint32)tvb_length_remaining(tvb, offset));
4098 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == length)) {
4099 if (si->saved && si->eo_file_info) { /* without this data we don't know wich file this belongs to */
4100 feed_eo_smb2(tvb,pinfo,si,dataoffset,length,off);
4109 dissect_smb2_write_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4111 switch (si->status) {
4112 case 0x00000000: break;
4113 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
4117 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4120 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4124 proto_tree_add_item(tree, hf_smb2_write_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4127 /* remaining, must be set to 0 */
4128 proto_tree_add_item(tree, hf_smb2_write_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4131 /* write channel info offset */
4132 proto_tree_add_item(tree, hf_smb2_channel_info_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4135 /* write channel info length */
4136 proto_tree_add_item(tree, hf_smb2_channel_info_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4143 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *top_tree, gboolean data_in _U_)
4145 dissect_file_data_dcerpc(tvb, pinfo, tree, offset, tvb_length_remaining(tvb, offset), top_tree);
4149 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4151 /* There is no out data */
4157 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4161 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4165 dissect_windows_sockaddr_in(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
4167 proto_item *sub_item = NULL;
4168 proto_tree *sub_tree = NULL;
4169 proto_item *parent_item = NULL;
4177 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Socket Address");
4178 sub_tree = proto_item_add_subtree(sub_item, ett_windows_sockaddr);
4179 parent_item = proto_tree_get_parent(parent_tree);
4183 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4187 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4191 addr = tvb_get_ipv4(tvb, offset);
4192 proto_tree_add_ipv4(sub_tree, hf_windows_sockaddr_in_addr, tvb, offset, 4, addr);
4194 proto_item_append_text(sub_item, ", IPv4: %s", tvb_ip_to_str(tvb, offset));
4197 proto_item_append_text(parent_item, ", IPv4: %s", tvb_ip_to_str(tvb, offset));
4202 dissect_windows_sockaddr_in6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
4204 struct e_in6_addr addr;
4205 proto_item *sub_item = NULL;
4206 proto_tree *sub_tree = NULL;
4207 proto_item *parent_item = NULL;
4214 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Socket Address");
4215 sub_tree = proto_item_add_subtree(sub_item, ett_windows_sockaddr);
4216 parent_item = proto_tree_get_parent(parent_tree);
4220 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4224 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4228 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_flowinfo, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4232 tvb_get_ipv6(tvb, offset, &addr);
4233 proto_tree_add_ipv6(sub_tree, hf_windows_sockaddr_in6_addr, tvb, offset, 16, (guint8 *)&addr);
4235 proto_item_append_text(sub_item, ", IPv6: %s", tvb_ip6_to_str(tvb, offset));
4238 proto_item_append_text(parent_item, ", IPv6: %s", tvb_ip6_to_str(tvb, offset));
4243 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_scope_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4247 dissect_windows_sockaddr_storage(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
4250 proto_item *sub_item = NULL;
4251 proto_tree *sub_tree = NULL;
4252 proto_item *parent_item = NULL;
4255 family = tvb_get_letohs(tvb, offset);
4257 case WINSOCK_AF_INET:
4258 dissect_windows_sockaddr_in(tvb, pinfo, parent_tree, offset, len);
4260 case WINSOCK_AF_INET6:
4261 dissect_windows_sockaddr_in6(tvb, pinfo, parent_tree, offset, len);
4266 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Socket Address");
4267 sub_tree = proto_item_add_subtree(sub_item, ett_windows_sockaddr);
4268 parent_item = proto_tree_get_parent(parent_tree);
4272 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4274 proto_item_append_text(sub_item, ", Family: %d (0x%04x)", family, family);
4277 proto_item_append_text(sub_item, ", Family: %d (0x%04x)", family, family);
4285 #define NETWORK_INTERFACE_CAP_RSS 0x00000001
4286 #define NETWORK_INTERFACE_CAP_RMDA 0x00000002
4289 dissect_smb2_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
4291 guint32 next_offset;
4294 proto_item *sub_item = NULL;
4295 proto_tree *sub_tree = NULL;
4296 proto_item *item = NULL;
4297 guint32 capabilities;
4300 const char *unit = NULL;
4302 next_offset = tvb_get_letohl(tvb, offset);
4308 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Network Interface");
4309 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_ioctl_network_interface);
4313 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4316 /* interface index */
4317 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4321 capabilities = tvb_get_letohl(tvb, offset);
4322 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_capabilities, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4323 proto_tree_add_boolean(sub_tree, hf_smb2_ioctl_network_interface_capability_rss, tvb, offset, 4, capabilities);
4324 proto_tree_add_boolean(sub_tree, hf_smb2_ioctl_network_interface_capability_rdma, tvb, offset, 4, capabilities);
4325 if (capabilities != 0) {
4326 proto_item_append_text(item, "%s%s",
4327 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"",
4328 (capabilities & NETWORK_INTERFACE_CAP_RMDA)?", RDMA":"");
4330 proto_item_append_text(sub_item, "%s%s",
4331 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"",
4332 (capabilities & NETWORK_INTERFACE_CAP_RMDA)?", RDMA":"");
4337 /* rss queue count */
4338 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_rss_queue_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4342 link_speed = tvb_get_letoh64(tvb, offset);
4343 item = proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_link_speed, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4344 if (link_speed >= (1000*1000*1000)) {
4345 val = (gfloat)(link_speed / (1000*1000*1000));
4347 } else if (link_speed >= (1000*1000)) {
4348 val = (gfloat)(link_speed / (1000*1000));
4350 } else if (link_speed >= (1000)) {
4351 val = (gfloat)(link_speed / (1000));
4354 val = (gfloat)(link_speed);
4357 proto_item_append_text(item, ", %.1f %sBits/s", val, unit);
4359 proto_item_append_text(sub_item, ", %.1f %sBits/s", val, unit);
4364 /* socket address */
4365 dissect_windows_sockaddr_storage(tvb, pinfo, sub_tree, offset);
4369 next_tvb = tvb_new_subset_remaining(tvb, next_offset);
4371 /* next extra info */
4372 dissect_smb2_NETWORK_INTERFACE_INFO(next_tvb, pinfo, parent_tree);
4377 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
4379 /* There is no in data */
4384 dissect_smb2_NETWORK_INTERFACE_INFO(tvb, pinfo, tree);
4388 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
4391 * This is only used by Windows 8 beta
4395 offset = dissect_smb2_capabilities(tree, tvb, offset);
4398 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4401 /* security mode, skip second byte */
4402 offset = dissect_smb2_secmode(tree, tvb, offset);
4406 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4410 offset = dissect_smb2_capabilities(tree, tvb, offset);
4413 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4416 /* security mode, skip second byte */
4417 offset = dissect_smb2_secmode(tree, tvb, offset);
4421 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4427 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, gboolean data_in)
4433 offset = dissect_smb2_capabilities(tree, tvb, offset);
4436 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4439 /* security mode, skip second byte */
4440 offset = dissect_smb2_secmode(tree, tvb, offset);
4444 dc = tvb_get_letohs(tvb, offset);
4445 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4448 for ( ; dc>0; dc--) {
4449 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4454 offset = dissect_smb2_capabilities(tree, tvb, offset);
4457 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4460 /* security mode, skip second byte */
4461 offset = dissect_smb2_secmode(tree, tvb, offset);
4465 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4471 dissect_smb2_FSCTL_GET_SHADOW_COPY_DATA(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4473 guint32 num_volumes;
4475 /* There is no in data */
4481 num_volumes = tvb_get_letohl(tvb, offset);
4482 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_num_volumes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4486 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_num_labels, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4490 proto_tree_add_item(tree, hf_smb2_ioctl_shadow_copy_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4493 while (num_volumes--) {
4497 int old_offset = offset;
4499 bc = tvb_length_remaining(tvb, offset);
4500 name = get_unicode_or_ascii_string(tvb, &offset,
4501 TRUE, &len, TRUE, FALSE, &bc);
4502 proto_tree_add_string(tree, hf_smb2_ioctl_shadow_copy_label, tvb, old_offset, len, name);
4504 offset = old_offset+len;
4513 dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset)
4515 proto_item *item = NULL;
4516 proto_tree *tree = NULL;
4518 /* FILE_OBJECTID_BUFFER */
4520 item = proto_tree_add_item(parent_tree, hf_smb2_FILE_OBJECTID_BUFFER, tvb, offset, 64, ENC_NA);
4521 tree = proto_item_add_subtree(item, ett_smb2_FILE_OBJECTID_BUFFER);
4525 proto_tree_add_item(tree, hf_smb2_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4528 /* Birth Volume ID */
4529 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4532 /* Birth Object ID */
4533 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4537 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4544 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4547 /* There is no in data */
4552 /* FILE_OBJECTID_BUFFER */
4553 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
4559 dissect_smb2_FSCTL_GET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4562 /* There is no in data */
4567 /* compression format */
4568 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4574 dissect_smb2_FSCTL_SET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4577 /* There is no out data */
4582 /* compression format */
4583 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4590 dissect_smb2_FSCTL_SET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4593 /* There is no out data */
4598 /* FILE_OBJECTID_BUFFER */
4599 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
4605 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, gboolean data_in)
4608 /* There is no out data */
4613 /* FILE_OBJECTID_BUFFER->ExtendedInfo */
4615 /* Birth Volume ID */
4616 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4619 /* Birth Object ID */
4620 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4624 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
4631 dissect_smb2_ioctl_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *top_tree, guint32 ioctl_function, gboolean data_in)
4635 dc = tvb_reported_length(tvb);
4637 switch (ioctl_function) {
4638 case 0x00060194: /* FSCTL_DFS_GET_REFERRALS */
4640 dissect_get_dfs_request_data(tvb, pinfo, tree, 0, &dc);
4642 dissect_get_dfs_referral_data(tvb, pinfo, tree, 0, &dc);
4646 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvb, pinfo, tree, 0, top_tree, data_in);
4648 case 0x001401D4: /* FSCTL_LMR_REQUEST_RESILIENCY */
4649 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvb, pinfo, tree, 0, data_in);
4651 case 0x001401FC: /* FSCTL_QUERY_NETWORK_INTERFACE_INFO */
4652 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvb, pinfo, tree, 0, data_in);
4654 case 0x00140200: /* FSCTL_VALIDATE_NEGOTIATE_INFO_224 */
4655 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvb, pinfo, tree, 0, data_in);
4657 case 0x00140204: /* FSCTL_VALIDATE_NEGOTIATE_INFO */
4658 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvb, pinfo, tree, 0, data_in);
4660 case 0x00144064: /* FSCTL_GET_SHADOW_COPY_DATA */
4661 dissect_smb2_FSCTL_GET_SHADOW_COPY_DATA(tvb, pinfo, tree, 0, data_in);
4663 case 0x0009009C: /* FSCTL_GET_OBJECT_ID */
4664 case 0x000900c0: /* FSCTL_CREATE_OR_GET_OBJECT_ID */
4665 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
4667 case 0x00098098: /* FSCTL_SET_OBJECT_ID */
4668 dissect_smb2_FSCTL_SET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
4670 case 0x000980BC: /* FSCTL_SET_OBJECT_ID_EXTENDED */
4671 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvb, pinfo, tree, 0, data_in);
4673 case 0x0009003C: /* FSCTL_GET_COMPRESSION */
4674 dissect_smb2_FSCTL_GET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
4676 case 0x0009C040: /* FSCTL_SET_COMPRESSION */
4677 dissect_smb2_FSCTL_SET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
4680 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_length(tvb), ENC_NA);
4685 dissect_smb2_ioctl_data_in(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4687 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, TRUE);
4691 dissect_smb2_ioctl_data_out(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4693 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, FALSE);
4697 dissect_smb2_ioctl_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4699 offset_length_buffer_t o_olb;
4700 offset_length_buffer_t i_olb;
4701 proto_tree *flags_tree = NULL;
4702 proto_item *flags_item = NULL;
4705 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4710 /* ioctl function */
4711 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
4714 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4716 /* in buffer offset/length */
4717 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
4719 /* max ioctl in size */
4720 proto_tree_add_item(tree, hf_smb2_max_ioctl_in_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4723 /* out buffer offset/length */
4724 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
4726 /* max ioctl out size */
4727 proto_tree_add_item(tree, hf_smb2_max_ioctl_out_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4732 flags_item = proto_tree_add_item(tree, hf_smb2_ioctl_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4733 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_ioctl_flags);
4735 proto_tree_add_item(flags_tree, hf_smb2_ioctl_is_fsctl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4741 /* try to decode these blobs in the order they were encoded
4742 * so that for "short" packets we will dissect as much as possible
4743 * before aborting with "short packet"
4745 if (i_olb.off>o_olb.off) {
4747 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
4749 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
4752 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
4754 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
4757 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
4758 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
4764 dissect_smb2_ioctl_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4766 offset_length_buffer_t o_olb;
4767 offset_length_buffer_t i_olb;
4769 switch (si->status) {
4770 case 0x00000000: break;
4771 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
4775 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4777 /* some unknown bytes */
4778 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4781 /* ioctl function */
4782 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
4785 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4787 /* in buffer offset/length */
4788 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
4790 /* out buffer offset/length */
4791 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
4794 /* flags: reserved: must be zero */
4800 /* try to decode these blobs in the order they were encoded
4801 * so that for "short" packets we will dissect as much as possible
4802 * before aborting with "short packet"
4804 if (i_olb.off>o_olb.off) {
4806 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
4808 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
4811 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
4813 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
4816 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
4817 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
4824 dissect_smb2_read_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4830 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4832 /* padding and reserved */
4836 len = tvb_get_letohl(tvb, offset);
4837 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4841 off = tvb_get_letoh64(tvb, offset);
4842 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4845 if (check_col(pinfo->cinfo, COL_INFO)) {
4846 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" G_GINT64_MODIFIER "u", len, off);
4850 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4853 proto_tree_add_item(tree, hf_smb2_min_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4857 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4860 /* remaining bytes */
4861 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4864 /* channel info offset */
4865 proto_tree_add_item(tree, hf_smb2_channel_info_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4868 /* channel info length */
4869 proto_tree_add_item(tree, hf_smb2_channel_info_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4872 /* there is a buffer here but it is never used (yet) */
4874 /* Store len and offset */
4876 si->saved->file_offset=off;
4877 si->saved->bytes_moved=len;
4885 dissect_smb2_read_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
4887 guint16 dataoffset = 0;
4888 guint32 data_tvb_len;
4890 switch (si->status) {
4891 case 0x00000000: break;
4892 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
4896 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4899 dataoffset=tvb_get_letohl(tvb,offset);
4900 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4903 /* length might even be 64bits if they are ambitious*/
4904 length = tvb_get_letohl(tvb, offset);
4905 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4909 proto_tree_add_item(tree, hf_smb2_read_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4916 * If the pidvalid flag is set we assume it is a deferred
4917 * STATUS_PENDING read and thus a named pipe (==dcerpc)
4919 if (length && ( (si->tree && si->tree->share_type == SMB2_SHARE_TYPE_PIPE)||(si->flags & SMB2_FLAGS_ASYNC_CMD))) {
4920 offset = dissect_file_data_dcerpc(tvb, pinfo, tree, offset, length, si->top_tree);
4925 proto_tree_add_item(tree, hf_smb2_read_data, tvb, offset, length, ENC_NA);
4927 data_tvb_len=(guint32)tvb_length_remaining(tvb, offset);
4929 offset += MIN(length,data_tvb_len);
4931 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == length)) {
4932 if (si->saved && si->eo_file_info) { /* without this data we don't know wich file this belongs to */
4933 feed_eo_smb2(tvb,pinfo,si,dataoffset,length,si->saved->file_offset);
4941 report_create_context_malformed_buffer(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, const char *buffer_desc)
4943 proto_tree_add_text(tree, tvb, 0, tvb_length_remaining(tvb, 0),
4944 "%s SHOULD NOT be generated. Malformed packet", buffer_desc);
4947 dissect_smb2_ExtA_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4949 proto_item *item = NULL;
4951 item = proto_tree_get_parent(tree);
4952 proto_item_append_text(item, ": SMB2_FILE_FULL_EA_INFO");
4954 dissect_smb2_file_full_ea_info(tvb, pinfo, tree, 0, si);
4958 dissect_smb2_ExtA_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
4960 report_create_context_malformed_buffer(tvb, pinfo, tree, "ExtA Response");
4964 dissect_smb2_SecD_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
4966 proto_item *item = NULL;
4968 item = proto_tree_get_parent(tree);
4969 proto_item_append_text(item, ": SMB2_SEC_INFO_00");
4971 dissect_smb2_sec_info_00(tvb, pinfo, tree, 0, si);
4975 dissect_smb2_SecD_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
4977 report_create_context_malformed_buffer(tvb, pinfo, tree, "SecD Response");
4981 dissect_smb2_TWrp_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
4983 proto_item *item = NULL;
4985 item = proto_tree_get_parent(tree);
4986 proto_item_append_text(item, ": Timestamp");
4988 dissect_nt_64bit_time(tvb, tree, 0, hf_smb2_twrp_timestamp);
4992 dissect_smb2_TWrp_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
4994 report_create_context_malformed_buffer(tvb, pinfo, tree, "TWrp Response");
4998 dissect_smb2_QFid_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5000 proto_item *item = NULL;
5003 item = proto_tree_get_parent(tree);
5007 if (tvb_length(tvb) == 0) {
5008 proto_item_append_text(item, ": NO DATA");
5010 proto_item_append_text(item, ": QFid request should have no data, malformed packet");
5016 dissect_smb2_QFid_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5019 proto_item *item = NULL;
5020 proto_item *sub_item = NULL;
5021 proto_item *sub_tree = NULL;
5024 item = proto_tree_get_parent(tree);
5028 proto_item_append_text(item, ": QFid INFO");
5029 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "QFid INFO");
5030 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_QFid_buffer);
5033 proto_tree_add_item(sub_tree, hf_smb2_qfid_fid, tvb, offset, 32, ENC_NA);
5037 dissect_smb2_AlSi_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5039 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, 0, 8, ENC_LITTLE_ENDIAN);
5043 dissect_smb2_AlSi_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5045 report_create_context_malformed_buffer(tvb, pinfo, tree, "AlSi Response");
5049 dissect_smb2_DHnQ_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
5051 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNQ);
5055 dissect_smb2_DHnQ_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5057 proto_tree_add_item(tree, hf_smb2_dhnq_buffer_reserved, tvb, 0, 8, ENC_LITTLE_ENDIAN);
5061 dissect_smb2_DHnC_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
5063 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNC);
5067 dissect_smb2_DHnC_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
5069 report_create_context_malformed_buffer(tvb, pinfo, tree, "DHnC Response");
5073 * SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2
5079 * SMB2_CREATE_DURABLE_HANDLE_RESPONSE_V2
5083 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
5088 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
5091 #define SMB2_DH2X_FLAGS_PERSISTENT_HANDLE 0x00000002
5094 dissect_smb2_DH2Q_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5096 static const int *dh2x_flags_fields[] = {
5097 &hf_smb2_dh2x_buffer_flags_persistent_handle,
5101 proto_item *item = NULL;
5102 proto_item *sub_item = NULL;
5103 proto_item *sub_tree = NULL;
5106 item = proto_tree_get_parent(tree);
5110 proto_item_append_text(item, ": DH2Q Request");
5111 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "DH2Q Request");
5112 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_DH2Q_buffer);
5116 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5120 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_dh2x_buffer_flags,
5121 ett_smb2_dh2x_flags, dh2x_flags_fields, ENC_LITTLE_ENDIAN);
5125 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_reserved, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5129 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5133 dissect_smb2_DH2Q_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5136 proto_item *item = NULL;
5137 proto_item *sub_item = NULL;
5138 proto_item *sub_tree = NULL;
5141 item = proto_tree_get_parent(tree);
5145 proto_item_append_text(item, ": DH2Q Response");
5146 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "DH2Q Response");
5147 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_DH2Q_buffer);
5151 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5155 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5159 dissect_smb2_DH2C_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
5162 proto_item *item = NULL;
5163 proto_item *sub_item = NULL;
5164 proto_item *sub_tree = NULL;
5167 item = proto_tree_get_parent(tree);
5171 proto_item_append_text(item, ": DH2C Request");
5172 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "DH2C Request");
5173 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_DH2C_buffer);
5177 dissect_smb2_fid(tvb, pinfo, sub_tree, offset, si, FID_MODE_DHNC);
5181 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5185 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5189 dissect_smb2_DH2C_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
5191 report_create_context_malformed_buffer(tvb, pinfo, tree, "DH2C Response");
5195 dissect_smb2_MxAc_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5198 proto_item *item = NULL;
5201 item = proto_tree_get_parent(tree);
5204 if (tvb_length(tvb) == 0) {
5206 proto_item_append_text(item, ": NO DATA");
5212 proto_item_append_text(item, ": Timestamp");
5215 dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_mxac_timestamp);
5219 dissect_smb2_MxAc_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5222 proto_item *item = NULL;
5223 proto_item *sub_item = NULL;
5224 proto_tree *sub_tree = NULL;
5227 item = proto_tree_get_parent(tree);
5230 if (tvb_length(tvb) == 0) {
5232 proto_item_append_text(item, ": NO DATA");
5238 proto_item_append_text(item, ": MxAc INFO");
5239 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "MxAc INFO");
5240 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_MxAc_buffer);
5243 proto_tree_add_item(sub_tree, hf_smb2_mxac_status, tvb, offset, 4, ENC_BIG_ENDIAN);
5246 dissect_smb_access_mask(tvb, sub_tree, offset);
5250 * SMB2_CREATE_REQUEST_LEASE 32
5254 * 8 - lease duration
5256 * SMB2_CREATE_REQUEST_LEASE_V2 52
5260 * 8 - lease duration
5261 * 16 - pareant lease key
5264 #define SMB2_LEASE_STATE_READ_CACHING 0x00000001
5265 #define SMB2_LEASE_STATE_HANDLE_CACHING 0x00000002
5266 #define SMB2_LEASE_STATE_WRITE_CACHING 0x00000004
5268 #define SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED 0x00000001
5269 #define SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS 0x00000002
5270 #define SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET 0x00000004
5272 static const int *lease_state_fields[] = {
5273 &hf_smb2_lease_state_read_caching,
5274 &hf_smb2_lease_state_handle_caching,
5275 &hf_smb2_lease_state_write_caching,
5278 static const int *lease_flags_fields[] = {
5279 &hf_smb2_lease_flags_break_ack_required,
5280 &hf_smb2_lease_flags_break_in_progress,
5281 &hf_smb2_lease_flags_parent_lease_key_set,
5286 dissect_SMB2_CREATE_LEASE_VX(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
5290 proto_item *sub_item = NULL;
5291 proto_tree *sub_tree = NULL;
5292 proto_item *parent_item = NULL;
5295 parent_item = proto_tree_get_parent(parent_tree);
5298 len = tvb_length(tvb);
5301 case 32: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE */
5303 proto_item_append_text(parent_item, ": LEASE_V1");
5304 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "LEASE_V1");
5305 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_RqLs_buffer);
5309 case 52: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE_V2 */
5311 proto_item_append_text(parent_item, ": LEASE_V2");
5312 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "LEASE_V2");
5313 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_RqLs_buffer);
5318 report_create_context_malformed_buffer(tvb, pinfo, parent_tree, "RqLs");
5322 proto_tree_add_item(sub_tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5325 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_state,
5326 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5329 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_flags,
5330 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
5333 proto_tree_add_item(sub_tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5340 proto_tree_add_item(sub_tree, hf_smb2_parent_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5343 proto_tree_add_item(sub_tree, hf_smb2_lease_epoch, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5347 dissect_smb2_RqLs_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5349 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
5353 dissect_smb2_RqLs_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5355 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
5359 * SMB2_CREATE_APP_INSTANCE_ID
5360 * 2 - structure size - 20
5362 * 16 - application guid
5366 dissect_smb2_APP_INSTANCE_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5369 proto_item *item = NULL;
5370 proto_item *sub_item = NULL;
5371 proto_item *sub_tree = NULL;
5374 item = proto_tree_get_parent(tree);
5378 proto_item_append_text(item, ": APP INSTANCE ID");
5379 sub_item = proto_tree_add_text(tree, tvb, offset, -1, "APP INSTANCE ID");
5380 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_APP_INSTANCE_buffer);
5384 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_struct_size,
5385 tvb, offset, 2, ENC_LITTLE_ENDIAN);
5389 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_reserved,
5390 tvb, offset, 2, ENC_LITTLE_ENDIAN);
5394 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_app_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5398 dissect_smb2_APP_INSTANCE_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
5400 report_create_context_malformed_buffer(tvb, pinfo, tree, "APP INSTANCE Response");
5403 typedef void (*create_context_data_dissector_t)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
5405 typedef struct create_context_data_dissectors {
5406 create_context_data_dissector_t request;
5407 create_context_data_dissector_t response;
5408 } create_context_data_dissectors_t;
5410 struct create_context_data_tag_dissectors {
5413 create_context_data_dissectors_t dissectors;
5416 struct create_context_data_tag_dissectors create_context_dissectors_array[] = {
5417 { "ExtA", "SMB2_CREATE_EA_BUFFER",
5418 { dissect_smb2_ExtA_buffer_request, dissect_smb2_ExtA_buffer_response } },
5419 { "SecD", "SMB2_CREATE_SD_BUFFER",
5420 { dissect_smb2_SecD_buffer_request, dissect_smb2_SecD_buffer_response } },
5421 { "AlSi", "SMB2_CREATE_ALLOCATION_SIZE",
5422 { dissect_smb2_AlSi_buffer_request, dissect_smb2_AlSi_buffer_response } },
5423 { "MxAc", "SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST",
5424 { dissect_smb2_MxAc_buffer_request, dissect_smb2_MxAc_buffer_response } },
5425 { "DHnQ", "SMB2_CREATE_DURABLE_HANDLE_REQUEST",
5426 { dissect_smb2_DHnQ_buffer_request, dissect_smb2_DHnQ_buffer_response } },
5427 { "DHnC", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT",
5428 { dissect_smb2_DHnC_buffer_request, dissect_smb2_DHnC_buffer_response } },
5429 { "DH2Q", "SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2",
5430 { dissect_smb2_DH2Q_buffer_request, dissect_smb2_DH2Q_buffer_response } },
5431 { "DH2C", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2",
5432 { dissect_smb2_DH2C_buffer_request, dissect_smb2_DH2C_buffer_response } },
5433 { "TWrp", "SMB2_CREATE_TIMEWARP_TOKEN",
5434 { dissect_smb2_TWrp_buffer_request, dissect_smb2_TWrp_buffer_response } },
5435 { "QFid", "SMB2_CREATE_QUERY_ON_DISK_ID",
5436 { dissect_smb2_QFid_buffer_request, dissect_smb2_QFid_buffer_response } },
5437 { "RqLs", "SMB2_CREATE_REQUEST_LEASE",
5438 { dissect_smb2_RqLs_buffer_request, dissect_smb2_RqLs_buffer_response } },
5439 { "744D142E-46FA-0890-4AF7-A7EF6AA6BC45", "SMB2_CREATE_APP_INSTANCE_ID",
5440 { dissect_smb2_APP_INSTANCE_buffer_request,
5441 dissect_smb2_APP_INSTANCE_buffer_response } }
5444 static struct create_context_data_tag_dissectors*
5445 get_create_context_data_tag_dissectors(const char *tag)
5447 static struct create_context_data_tag_dissectors INVALID = {
5448 NULL, "<invalid>", { NULL, NULL }
5452 for (i = 0; i<array_length(create_context_dissectors_array); i++) {
5453 if (!strcmp(tag, create_context_dissectors_array[i].tag))
5454 return &create_context_dissectors_array[i];
5460 dissect_smb2_create_extra_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si)
5462 offset_length_buffer_t tag_olb;
5463 offset_length_buffer_t data_olb;
5465 guint16 chain_offset;
5468 proto_item *sub_item = NULL;
5469 proto_tree *sub_tree = NULL;
5470 proto_item *parent_item = NULL;
5471 create_context_data_dissectors_t *dissectors = NULL;
5472 create_context_data_dissector_t dissector = NULL;
5473 struct create_context_data_tag_dissectors *tag_dissectors;
5475 chain_offset = tvb_get_letohl(tvb, offset);
5481 sub_item = proto_tree_add_text(parent_tree, tvb, offset, len, "Chain Element");
5482 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_create_chain_element);
5483 parent_item = proto_tree_get_parent(parent_tree);
5487 proto_tree_add_item(sub_tree, hf_smb2_create_chain_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5490 /* tag offset/length */
5491 offset = dissect_smb2_olb_length_offset(tvb, offset, &tag_olb, OLB_O_UINT16_S_UINT32, hf_smb2_tag);
5493 /* data offset/length */
5494 dissect_smb2_olb_length_offset(tvb, offset, &data_olb, OLB_O_UINT16_S_UINT32, hf_smb2_create_chain_data);
5497 tag = dissect_smb2_olb_string(pinfo, sub_tree, tvb, &tag_olb, OLB_TYPE_ASCII_STRING);
5499 tag_dissectors = get_create_context_data_tag_dissectors(tag);
5501 proto_item_append_text(parent_item, " %s", tag);
5502 proto_item_append_text(sub_item, ": %s \"%s\"", tag_dissectors->val, tag);
5505 dissectors = &tag_dissectors->dissectors;
5507 dissector = (si->flags & SMB2_FLAGS_RESPONSE) ? dissectors->response : dissectors->request;
5509 dissect_smb2_olb_buffer(pinfo, sub_tree, tvb, &data_olb, si, dissector);
5512 tvbuff_t *chain_tvb;
5513 chain_tvb = tvb_new_subset_remaining(tvb, chain_offset);
5515 /* next extra info */
5516 dissect_smb2_create_extra_info(chain_tvb, pinfo, parent_tree, si);
5521 dissect_smb2_create_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5523 offset_length_buffer_t f_olb, e_olb;
5527 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5529 /* security flags */
5533 offset = dissect_smb2_oplock(tree, tvb, offset);
5535 /* impersonation level */
5536 proto_tree_add_item(tree, hf_smb2_impersonation_level, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5540 proto_tree_add_item(tree, hf_smb2_create_flags, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5547 offset = dissect_smb_access_mask(tvb, tree, offset);
5549 /* File Attributes */
5550 offset = dissect_file_ext_attr(tvb, tree, offset);
5553 offset = dissect_nt_share_access(tvb, tree, offset);
5555 /* create disposition */
5556 proto_tree_add_item(tree, hf_smb2_create_disposition, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5559 /* create options */
5560 offset = dissect_nt_create_options(tvb, tree, offset);
5562 /* filename offset/length */
5563 offset = dissect_smb2_olb_length_offset(tvb, offset, &f_olb, OLB_O_UINT16_S_UINT16, hf_smb2_filename);
5565 /* extrainfo offset */
5566 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
5568 /* filename string */
5569 fname = dissect_smb2_olb_string(pinfo, tree, tvb, &f_olb, OLB_TYPE_UNICODE_STRING);
5570 if (check_col(pinfo->cinfo, COL_INFO)) {
5571 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s", fname);
5574 /* save the name if it looks sane */
5575 if (!pinfo->fd->flags.visited) {
5576 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
5577 g_free(si->saved->extra_info);
5578 si->saved->extra_info = NULL;
5579 si->saved->extra_info_type = SMB2_EI_NONE;
5581 if (si->saved && f_olb.len && f_olb.len<256) {
5582 si->saved->extra_info_type = SMB2_EI_FILENAME;
5583 si->saved->extra_info = g_malloc(f_olb.len+1);
5584 g_snprintf(si->saved->extra_info, f_olb.len+1, "%s", fname);
5588 /* If extrainfo_offset is non-null then this points to another
5589 * buffer. The offset is relative to the start of the smb packet
5591 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
5593 offset = dissect_smb2_olb_tvb_max_offset(offset, &f_olb);
5594 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
5599 #define SMB2_CREATE_REP_FLAGS_REPARSE_POINT 0x01
5602 dissect_smb2_create_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5604 guint64 end_of_file;
5606 offset_length_buffer_t e_olb;
5607 static const int *create_rep_flags_fields[] = {
5608 &hf_smb2_create_rep_flags_reparse_point,
5612 switch (si->status) {
5613 case 0x00000000: break;
5614 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
5618 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5621 offset = dissect_smb2_oplock(tree, tvb, offset);
5624 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_create_rep_flags,
5625 ett_smb2_create_rep_flags, create_rep_flags_fields, ENC_LITTLE_ENDIAN);
5629 proto_tree_add_item(tree, hf_smb2_create_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5633 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_create_timestamp);
5636 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_access_timestamp);
5639 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_write_timestamp);
5642 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_smb2_last_change_timestamp);
5644 /* allocation size */
5645 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5649 end_of_file = tvb_get_letoh64(tvb, offset);
5650 if (si->eo_file_info) {
5651 si->eo_file_info->end_of_file = tvb_get_letoh64(tvb, offset);
5653 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5656 /* File Attributes */
5657 attr_mask=tvb_get_letohl(tvb, offset);
5658 offset = dissect_file_ext_attr(tvb, tree, offset);
5664 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_OPEN);
5666 /* We save this after dissect_smb2_fid just because it would be
5667 possible to have this response without having the mathing request.
5668 In that case the entry in the file info hash table has been created
5669 in dissect_smb2_fid */
5670 if (si->eo_file_info) {
5671 si->eo_file_info->end_of_file = end_of_file;
5672 si->eo_file_info->attr_mask = attr_mask;
5675 /* extrainfo offset */
5676 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
5678 /* If extrainfo_offset is non-null then this points to another
5679 * buffer. The offset is relative to the start of the smb packet
5681 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
5683 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
5685 /* free si->saved->extra_info we dont need it any more */
5686 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
5687 g_free(si->saved->extra_info);
5688 si->saved->extra_info = NULL;
5689 si->saved->extra_info_type = SMB2_EI_NONE;
5697 dissect_smb2_setinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5699 guint32 setinfo_size;
5700 guint16 setinfo_offset;
5703 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5705 /* class and info level */
5706 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
5709 setinfo_size = tvb_get_letohl(tvb, offset);
5710 proto_tree_add_item(tree, hf_smb2_setinfo_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5714 setinfo_offset = tvb_get_letohs(tvb, offset);
5715 proto_tree_add_item(tree, hf_smb2_setinfo_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5718 /* some unknown bytes */
5719 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 6, ENC_NA);
5723 dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5727 dissect_smb2_infolevel(tvb, pinfo, tree, setinfo_offset, si, si->saved->class, si->saved->infolevel);
5728 offset = setinfo_offset + setinfo_size;
5734 dissect_smb2_setinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5736 /* class/infolevel */
5737 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
5739 switch (si->status) {
5740 case 0x00000000: break;
5741 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
5745 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5751 dissect_smb2_break_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5753 guint16 buffer_code;
5756 buffer_code = tvb_get_letohs(tvb, offset);
5757 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5759 if (buffer_code == 24) {
5763 offset = dissect_smb2_oplock(tree, tvb, offset);
5772 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5777 if (buffer_code == 36) {
5778 /* Lease Break Acknowledgment */
5781 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5785 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
5786 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
5790 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5794 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
5795 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5798 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5808 dissect_smb2_break_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5810 guint16 buffer_code;
5812 switch (si->status) {
5813 case 0x00000000: break;
5814 default: return dissect_smb2_error_response(tvb, pinfo, tree, offset, si);
5818 buffer_code = tvb_get_letohs(tvb, offset);
5819 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5821 if (buffer_code == 24) {
5822 /* OPLOCK Break Notification */
5825 offset = dissect_smb2_oplock(tree, tvb, offset);
5834 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
5836 /* in break requests from server to client here're 24 byte zero bytes
5837 * which are likely a bug in windows (they may use 2* 24 bytes instead of just
5843 if (buffer_code == 44) {
5846 /* Lease Break Notification */
5849 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5853 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
5854 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
5858 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5861 /* current lease state */
5862 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
5863 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5865 proto_item_prepend_text(item, "Current ");
5869 /* new lease state */
5870 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
5871 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5873 proto_item_prepend_text(item, "New ");
5877 /* break reason - reserved */
5878 proto_tree_add_item(tree, hf_smb2_lease_break_reason, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5881 /* access mask hint - reserved */
5882 proto_tree_add_item(tree, hf_smb2_lease_access_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5885 /* share mask hint - reserved */
5886 proto_tree_add_item(tree, hf_smb2_lease_share_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5892 if (buffer_code == 36) {
5893 /* Lease Break Response */
5896 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5900 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
5901 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
5905 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5909 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
5910 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
5913 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5922 /* names here are just until we find better names for these functions */
5923 static const value_string smb2_cmd_vals[] = {
5924 { 0x00, "Negotiate Protocol" },
5925 { 0x01, "Session Setup" },
5926 { 0x02, "Session Logoff" },
5927 { 0x03, "Tree Connect" },
5928 { 0x04, "Tree Disconnect" },
5937 { 0x0D, "KeepAlive" },
5940 { 0x10, "GetInfo" },
5941 { 0x11, "SetInfo" },
5943 { 0x13, "unknown-0x13" },
5944 { 0x14, "unknown-0x14" },
5945 { 0x15, "unknown-0x15" },
5946 { 0x16, "unknown-0x16" },
5947 { 0x17, "unknown-0x17" },
5948 { 0x18, "unknown-0x18" },
5949 { 0x19, "unknown-0x19" },
5950 { 0x1A, "unknown-0x1A" },
5951 { 0x1B, "unknown-0x1B" },
5952 { 0x1C, "unknown-0x1C" },
5953 { 0x1D, "unknown-0x1D" },
5954 { 0x1E, "unknown-0x1E" },
5955 { 0x1F, "unknown-0x1F" },
5956 { 0x20, "unknown-0x20" },
5957 { 0x21, "unknown-0x21" },
5958 { 0x22, "unknown-0x22" },
5959 { 0x23, "unknown-0x23" },
5960 { 0x24, "unknown-0x24" },
5961 { 0x25, "unknown-0x25" },
5962 { 0x26, "unknown-0x26" },
5963 { 0x27, "unknown-0x27" },
5964 { 0x28, "unknown-0x28" },
5965 { 0x29, "unknown-0x29" },
5966 { 0x2A, "unknown-0x2A" },
5967 { 0x2B, "unknown-0x2B" },
5968 { 0x2C, "unknown-0x2C" },
5969 { 0x2D, "unknown-0x2D" },
5970 { 0x2E, "unknown-0x2E" },
5971 { 0x2F, "unknown-0x2F" },
5972 { 0x30, "unknown-0x30" },
5973 { 0x31, "unknown-0x31" },
5974 { 0x32, "unknown-0x32" },
5975 { 0x33, "unknown-0x33" },
5976 { 0x34, "unknown-0x34" },
5977 { 0x35, "unknown-0x35" },
5978 { 0x36, "unknown-0x36" },
5979 { 0x37, "unknown-0x37" },
5980 { 0x38, "unknown-0x38" },
5981 { 0x39, "unknown-0x39" },
5982 { 0x3A, "unknown-0x3A" },
5983 { 0x3B, "unknown-0x3B" },
5984 { 0x3C, "unknown-0x3C" },
5985 { 0x3D, "unknown-0x3D" },
5986 { 0x3E, "unknown-0x3E" },
5987 { 0x3F, "unknown-0x3F" },
5988 { 0x40, "unknown-0x40" },
5989 { 0x41, "unknown-0x41" },
5990 { 0x42, "unknown-0x42" },
5991 { 0x43, "unknown-0x43" },
5992 { 0x44, "unknown-0x44" },
5993 { 0x45, "unknown-0x45" },
5994 { 0x46, "unknown-0x46" },
5995 { 0x47, "unknown-0x47" },
5996 { 0x48, "unknown-0x48" },
5997 { 0x49, "unknown-0x49" },
5998 { 0x4A, "unknown-0x4A" },
5999 { 0x4B, "unknown-0x4B" },
6000 { 0x4C, "unknown-0x4C" },
6001 { 0x4D, "unknown-0x4D" },
6002 { 0x4E, "unknown-0x4E" },
6003 { 0x4F, "unknown-0x4F" },
6004 { 0x50, "unknown-0x50" },
6005 { 0x51, "unknown-0x51" },
6006 { 0x52, "unknown-0x52" },
6007 { 0x53, "unknown-0x53" },
6008 { 0x54, "unknown-0x54" },
6009 { 0x55, "unknown-0x55" },
6010 { 0x56, "unknown-0x56" },
6011 { 0x57, "unknown-0x57" },
6012 { 0x58, "unknown-0x58" },
6013 { 0x59, "unknown-0x59" },
6014 { 0x5A, "unknown-0x5A" },
6015 { 0x5B, "unknown-0x5B" },
6016 { 0x5C, "unknown-0x5C" },
6017 { 0x5D, "unknown-0x5D" },
6018 { 0x5E, "unknown-0x5E" },
6019 { 0x5F, "unknown-0x5F" },
6020 { 0x60, "unknown-0x60" },
6021 { 0x61, "unknown-0x61" },
6022 { 0x62, "unknown-0x62" },
6023 { 0x63, "unknown-0x63" },
6024 { 0x64, "unknown-0x64" },
6025 { 0x65, "unknown-0x65" },
6026 { 0x66, "unknown-0x66" },
6027 { 0x67, "unknown-0x67" },
6028 { 0x68, "unknown-0x68" },
6029 { 0x69, "unknown-0x69" },
6030 { 0x6A, "unknown-0x6A" },
6031 { 0x6B, "unknown-0x6B" },
6032 { 0x6C, "unknown-0x6C" },
6033 { 0x6D, "unknown-0x6D" },
6034 { 0x6E, "unknown-0x6E" },
6035 { 0x6F, "unknown-0x6F" },
6036 { 0x70, "unknown-0x70" },
6037 { 0x71, "unknown-0x71" },
6038 { 0x72, "unknown-0x72" },
6039 { 0x73, "unknown-0x73" },
6040 { 0x74, "unknown-0x74" },
6041 { 0x75, "unknown-0x75" },
6042 { 0x76, "unknown-0x76" },
6043 { 0x77, "unknown-0x77" },
6044 { 0x78, "unknown-0x78" },
6045 { 0x79, "unknown-0x79" },
6046 { 0x7A, "unknown-0x7A" },
6047 { 0x7B, "unknown-0x7B" },
6048 { 0x7C, "unknown-0x7C" },
6049 { 0x7D, "unknown-0x7D" },
6050 { 0x7E, "unknown-0x7E" },
6051 { 0x7F, "unknown-0x7F" },
6052 { 0x80, "unknown-0x80" },
6053 { 0x81, "unknown-0x81" },
6054 { 0x82, "unknown-0x82" },
6055 { 0x83, "unknown-0x83" },
6056 { 0x84, "unknown-0x84" },
6057 { 0x85, "unknown-0x85" },
6058 { 0x86, "unknown-0x86" },
6059 { 0x87, "unknown-0x87" },
6060 { 0x88, "unknown-0x88" },
6061 { 0x89, "unknown-0x89" },
6062 { 0x8A, "unknown-0x8A" },
6063 { 0x8B, "unknown-0x8B" },
6064 { 0x8C, "unknown-0x8C" },
6065 { 0x8D, "unknown-0x8D" },
6066 { 0x8E, "unknown-0x8E" },
6067 { 0x8F, "unknown-0x8F" },
6068 { 0x90, "unknown-0x90" },
6069 { 0x91, "unknown-0x91" },
6070 { 0x92, "unknown-0x92" },
6071 { 0x93, "unknown-0x93" },
6072 { 0x94, "unknown-0x94" },
6073 { 0x95, "unknown-0x95" },
6074 { 0x96, "unknown-0x96" },
6075 { 0x97, "unknown-0x97" },
6076 { 0x98, "unknown-0x98" },
6077 { 0x99, "unknown-0x99" },
6078 { 0x9A, "unknown-0x9A" },
6079 { 0x9B, "unknown-0x9B" },
6080 { 0x9C, "unknown-0x9C" },
6081 { 0x9D, "unknown-0x9D" },
6082 { 0x9E, "unknown-0x9E" },
6083 { 0x9F, "unknown-0x9F" },
6084 { 0xA0, "unknown-0xA0" },
6085 { 0xA1, "unknown-0xA1" },
6086 { 0xA2, "unknown-0xA2" },
6087 { 0xA3, "unknown-0xA3" },
6088 { 0xA4, "unknown-0xA4" },
6089 { 0xA5, "unknown-0xA5" },
6090 { 0xA6, "unknown-0xA6" },
6091 { 0xA7, "unknown-0xA7" },
6092 { 0xA8, "unknown-0xA8" },
6093 { 0xA9, "unknown-0xA9" },
6094 { 0xAA, "unknown-0xAA" },
6095 { 0xAB, "unknown-0xAB" },
6096 { 0xAC, "unknown-0xAC" },
6097 { 0xAD, "unknown-0xAD" },
6098 { 0xAE, "unknown-0xAE" },
6099 { 0xAF, "unknown-0xAF" },
6100 { 0xB0, "unknown-0xB0" },
6101 { 0xB1, "unknown-0xB1" },
6102 { 0xB2, "unknown-0xB2" },
6103 { 0xB3, "unknown-0xB3" },
6104 { 0xB4, "unknown-0xB4" },
6105 { 0xB5, "unknown-0xB5" },
6106 { 0xB6, "unknown-0xB6" },
6107 { 0xB7, "unknown-0xB7" },
6108 { 0xB8, "unknown-0xB8" },
6109 { 0xB9, "unknown-0xB9" },
6110 { 0xBA, "unknown-0xBA" },
6111 { 0xBB, "unknown-0xBB" },
6112 { 0xBC, "unknown-0xBC" },
6113 { 0xBD, "unknown-0xBD" },
6114 { 0xBE, "unknown-0xBE" },
6115 { 0xBF, "unknown-0xBF" },
6116 { 0xC0, "unknown-0xC0" },
6117 { 0xC1, "unknown-0xC1" },
6118 { 0xC2, "unknown-0xC2" },
6119 { 0xC3, "unknown-0xC3" },
6120 { 0xC4, "unknown-0xC4" },
6121 { 0xC5, "unknown-0xC5" },
6122 { 0xC6, "unknown-0xC6" },
6123 { 0xC7, "unknown-0xC7" },
6124 { 0xC8, "unknown-0xC8" },
6125 { 0xC9, "unknown-0xC9" },
6126 { 0xCA, "unknown-0xCA" },
6127 { 0xCB, "unknown-0xCB" },
6128 { 0xCC, "unknown-0xCC" },
6129 { 0xCD, "unknown-0xCD" },
6130 { 0xCE, "unknown-0xCE" },
6131 { 0xCF, "unknown-0xCF" },
6132 { 0xD0, "unknown-0xD0" },
6133 { 0xD1, "unknown-0xD1" },
6134 { 0xD2, "unknown-0xD2" },
6135 { 0xD3, "unknown-0xD3" },
6136 { 0xD4, "unknown-0xD4" },
6137 { 0xD5, "unknown-0xD5" },
6138 { 0xD6, "unknown-0xD6" },
6139 { 0xD7, "unknown-0xD7" },
6140 { 0xD8, "unknown-0xD8" },
6141 { 0xD9, "unknown-0xD9" },
6142 { 0xDA, "unknown-0xDA" },
6143 { 0xDB, "unknown-0xDB" },
6144 { 0xDC, "unknown-0xDC" },
6145 { 0xDD, "unknown-0xDD" },
6146 { 0xDE, "unknown-0xDE" },
6147 { 0xDF, "unknown-0xDF" },
6148 { 0xE0, "unknown-0xE0" },
6149 { 0xE1, "unknown-0xE1" },
6150 { 0xE2, "unknown-0xE2" },
6151 { 0xE3, "unknown-0xE3" },
6152 { 0xE4, "unknown-0xE4" },
6153 { 0xE5, "unknown-0xE5" },
6154 { 0xE6, "unknown-0xE6" },
6155 { 0xE7, "unknown-0xE7" },
6156 { 0xE8, "unknown-0xE8" },
6157 { 0xE9, "unknown-0xE9" },
6158 { 0xEA, "unknown-0xEA" },
6159 { 0xEB, "unknown-0xEB" },
6160 { 0xEC, "unknown-0xEC" },
6161 { 0xED, "unknown-0xED" },
6162 { 0xEE, "unknown-0xEE" },
6163 { 0xEF, "unknown-0xEF" },
6164 { 0xF0, "unknown-0xF0" },
6165 { 0xF1, "unknown-0xF1" },
6166 { 0xF2, "unknown-0xF2" },
6167 { 0xF3, "unknown-0xF3" },
6168 { 0xF4, "unknown-0xF4" },
6169 { 0xF5, "unknown-0xF5" },
6170 { 0xF6, "unknown-0xF6" },
6171 { 0xF7, "unknown-0xF7" },
6172 { 0xF8, "unknown-0xF8" },
6173 { 0xF9, "unknown-0xF9" },
6174 { 0xFA, "unknown-0xFA" },
6175 { 0xFB, "unknown-0xFB" },
6176 { 0xFC, "unknown-0xFC" },
6177 { 0xFD, "unknown-0xFD" },
6178 { 0xFE, "unknown-0xFE" },
6179 { 0xFF, "unknown-0xFF" },
6182 value_string_ext smb2_cmd_vals_ext = VALUE_STRING_EXT_INIT(smb2_cmd_vals);
6184 static const char *decode_smb2_name(guint16 cmd)
6186 if (cmd > 0xFF) return "unknown";
6187 return(smb2_cmd_vals[cmd & 0xFF].strptr);
6190 static smb2_function smb2_dissector[256] = {
6191 /* 0x00 NegotiateProtocol*/
6192 {dissect_smb2_negotiate_protocol_request,
6193 dissect_smb2_negotiate_protocol_response},
6194 /* 0x01 SessionSetup*/
6195 {dissect_smb2_session_setup_request,
6196 dissect_smb2_session_setup_response},
6197 /* 0x02 SessionLogoff*/
6198 {dissect_smb2_sessionlogoff_request,
6199 dissect_smb2_sessionlogoff_response},
6200 /* 0x03 TreeConnect*/
6201 {dissect_smb2_tree_connect_request,
6202 dissect_smb2_tree_connect_response},
6203 /* 0x04 TreeDisconnect*/
6204 {dissect_smb2_tree_disconnect_request,
6205 dissect_smb2_tree_disconnect_response},
6207 {dissect_smb2_create_request,
6208 dissect_smb2_create_response},
6210 {dissect_smb2_close_request,
6211 dissect_smb2_close_response},
6213 {dissect_smb2_flush_request,
6214 dissect_smb2_flush_response},
6216 {dissect_smb2_read_request,
6217 dissect_smb2_read_response},
6219 {dissect_smb2_write_request,
6220 dissect_smb2_write_response},
6222 {dissect_smb2_lock_request,
6223 dissect_smb2_lock_response},
6225 {dissect_smb2_ioctl_request,
6226 dissect_smb2_ioctl_response},
6228 {dissect_smb2_cancel_request,
6231 {dissect_smb2_keepalive_request,
6232 dissect_smb2_keepalive_response},
6234 {dissect_smb2_find_request,
6235 dissect_smb2_find_response},
6237 {dissect_smb2_notify_request,
6238 dissect_smb2_notify_response},
6240 {dissect_smb2_getinfo_request,
6241 dissect_smb2_getinfo_response},
6243 {dissect_smb2_setinfo_request,
6244 dissect_smb2_setinfo_response},
6246 {dissect_smb2_break_request,
6247 dissect_smb2_break_response},
6248 /* 0x13 */ {NULL, NULL},
6249 /* 0x14 */ {NULL, NULL},
6250 /* 0x15 */ {NULL, NULL},
6251 /* 0x16 */ {NULL, NULL},
6252 /* 0x17 */ {NULL, NULL},
6253 /* 0x18 */ {NULL, NULL},
6254 /* 0x19 */ {NULL, NULL},
6255 /* 0x1a */ {NULL, NULL},
6256 /* 0x1b */ {NULL, NULL},
6257 /* 0x1c */ {NULL, NULL},
6258 /* 0x1d */ {NULL, NULL},
6259 /* 0x1e */ {NULL, NULL},
6260 /* 0x1f */ {NULL, NULL},
6261 /* 0x20 */ {NULL, NULL},
6262 /* 0x21 */ {NULL, NULL},
6263 /* 0x22 */ {NULL, NULL},
6264 /* 0x23 */ {NULL, NULL},
6265 /* 0x24 */ {NULL, NULL},
6266 /* 0x25 */ {NULL, NULL},
6267 /* 0x26 */ {NULL, NULL},
6268 /* 0x27 */ {NULL, NULL},
6269 /* 0x28 */ {NULL, NULL},
6270 /* 0x29 */ {NULL, NULL},
6271 /* 0x2a */ {NULL, NULL},
6272 /* 0x2b */ {NULL, NULL},
6273 /* 0x2c */ {NULL, NULL},
6274 /* 0x2d */ {NULL, NULL},
6275 /* 0x2e */ {NULL, NULL},
6276 /* 0x2f */ {NULL, NULL},
6277 /* 0x30 */ {NULL, NULL},
6278 /* 0x31 */ {NULL, NULL},
6279 /* 0x32 */ {NULL, NULL},
6280 /* 0x33 */ {NULL, NULL},
6281 /* 0x34 */ {NULL, NULL},
6282 /* 0x35 */ {NULL, NULL},
6283 /* 0x36 */ {NULL, NULL},
6284 /* 0x37 */ {NULL, NULL},
6285 /* 0x38 */ {NULL, NULL},
6286 /* 0x39 */ {NULL, NULL},
6287 /* 0x3a */ {NULL, NULL},
6288 /* 0x3b */ {NULL, NULL},
6289 /* 0x3c */ {NULL, NULL},
6290 /* 0x3d */ {NULL, NULL},
6291 /* 0x3e */ {NULL, NULL},
6292 /* 0x3f */ {NULL, NULL},
6293 /* 0x40 */ {NULL, NULL},
6294 /* 0x41 */ {NULL, NULL},
6295 /* 0x42 */ {NULL, NULL},
6296 /* 0x43 */ {NULL, NULL},
6297 /* 0x44 */ {NULL, NULL},
6298 /* 0x45 */ {NULL, NULL},
6299 /* 0x46 */ {NULL, NULL},
6300 /* 0x47 */ {NULL, NULL},
6301 /* 0x48 */ {NULL, NULL},
6302 /* 0x49 */ {NULL, NULL},
6303 /* 0x4a */ {NULL, NULL},
6304 /* 0x4b */ {NULL, NULL},
6305 /* 0x4c */ {NULL, NULL},
6306 /* 0x4d */ {NULL, NULL},
6307 /* 0x4e */ {NULL, NULL},
6308 /* 0x4f */ {NULL, NULL},
6309 /* 0x50 */ {NULL, NULL},
6310 /* 0x51 */ {NULL, NULL},
6311 /* 0x52 */ {NULL, NULL},
6312 /* 0x53 */ {NULL, NULL},
6313 /* 0x54 */ {NULL, NULL},
6314 /* 0x55 */ {NULL, NULL},
6315 /* 0x56 */ {NULL, NULL},
6316 /* 0x57 */ {NULL, NULL},
6317 /* 0x58 */ {NULL, NULL},
6318 /* 0x59 */ {NULL, NULL},
6319 /* 0x5a */ {NULL, NULL},
6320 /* 0x5b */ {NULL, NULL},
6321 /* 0x5c */ {NULL, NULL},
6322 /* 0x5d */ {NULL, NULL},
6323 /* 0x5e */ {NULL, NULL},
6324 /* 0x5f */ {NULL, NULL},
6325 /* 0x60 */ {NULL, NULL},
6326 /* 0x61 */ {NULL, NULL},
6327 /* 0x62 */ {NULL, NULL},
6328 /* 0x63 */ {NULL, NULL},
6329 /* 0x64 */ {NULL, NULL},
6330 /* 0x65 */ {NULL, NULL},
6331 /* 0x66 */ {NULL, NULL},
6332 /* 0x67 */ {NULL, NULL},
6333 /* 0x68 */ {NULL, NULL},
6334 /* 0x69 */ {NULL, NULL},
6335 /* 0x6a */ {NULL, NULL},
6336 /* 0x6b */ {NULL, NULL},
6337 /* 0x6c */ {NULL, NULL},
6338 /* 0x6d */ {NULL, NULL},
6339 /* 0x6e */ {NULL, NULL},
6340 /* 0x6f */ {NULL, NULL},
6341 /* 0x70 */ {NULL, NULL},
6342 /* 0x71 */ {NULL, NULL},
6343 /* 0x72 */ {NULL, NULL},
6344 /* 0x73 */ {NULL, NULL},
6345 /* 0x74 */ {NULL, NULL},
6346 /* 0x75 */ {NULL, NULL},
6347 /* 0x76 */ {NULL, NULL},
6348 /* 0x77 */ {NULL, NULL},
6349 /* 0x78 */ {NULL, NULL},
6350 /* 0x79 */ {NULL, NULL},
6351 /* 0x7a */ {NULL, NULL},
6352 /* 0x7b */ {NULL, NULL},
6353 /* 0x7c */ {NULL, NULL},
6354 /* 0x7d */ {NULL, NULL},
6355 /* 0x7e */ {NULL, NULL},
6356 /* 0x7f */ {NULL, NULL},
6357 /* 0x80 */ {NULL, NULL},
6358 /* 0x81 */ {NULL, NULL},
6359 /* 0x82 */ {NULL, NULL},
6360 /* 0x83 */ {NULL, NULL},
6361 /* 0x84 */ {NULL, NULL},
6362 /* 0x85 */ {NULL, NULL},
6363 /* 0x86 */ {NULL, NULL},
6364 /* 0x87 */ {NULL, NULL},
6365 /* 0x88 */ {NULL, NULL},
6366 /* 0x89 */ {NULL, NULL},
6367 /* 0x8a */ {NULL, NULL},
6368 /* 0x8b */ {NULL, NULL},
6369 /* 0x8c */ {NULL, NULL},
6370 /* 0x8d */ {NULL, NULL},
6371 /* 0x8e */ {NULL, NULL},
6372 /* 0x8f */ {NULL, NULL},
6373 /* 0x90 */ {NULL, NULL},
6374 /* 0x91 */ {NULL, NULL},
6375 /* 0x92 */ {NULL, NULL},
6376 /* 0x93 */ {NULL, NULL},
6377 /* 0x94 */ {NULL, NULL},
6378 /* 0x95 */ {NULL, NULL},
6379 /* 0x96 */ {NULL, NULL},
6380 /* 0x97 */ {NULL, NULL},
6381 /* 0x98 */ {NULL, NULL},
6382 /* 0x99 */ {NULL, NULL},
6383 /* 0x9a */ {NULL, NULL},
6384 /* 0x9b */ {NULL, NULL},
6385 /* 0x9c */ {NULL, NULL},
6386 /* 0x9d */ {NULL, NULL},
6387 /* 0x9e */ {NULL, NULL},
6388 /* 0x9f */ {NULL, NULL},
6389 /* 0xa0 */ {NULL, NULL},
6390 /* 0xa1 */ {NULL, NULL},
6391 /* 0xa2 */ {NULL, NULL},
6392 /* 0xa3 */ {NULL, NULL},
6393 /* 0xa4 */ {NULL, NULL},
6394 /* 0xa5 */ {NULL, NULL},
6395 /* 0xa6 */ {NULL, NULL},
6396 /* 0xa7 */ {NULL, NULL},
6397 /* 0xa8 */ {NULL, NULL},
6398 /* 0xa9 */ {NULL, NULL},
6399 /* 0xaa */ {NULL, NULL},
6400 /* 0xab */ {NULL, NULL},
6401 /* 0xac */ {NULL, NULL},
6402 /* 0xad */ {NULL, NULL},
6403 /* 0xae */ {NULL, NULL},
6404 /* 0xaf */ {NULL, NULL},
6405 /* 0xb0 */ {NULL, NULL},
6406 /* 0xb1 */ {NULL, NULL},
6407 /* 0xb2 */ {NULL, NULL},
6408 /* 0xb3 */ {NULL, NULL},
6409 /* 0xb4 */ {NULL, NULL},
6410 /* 0xb5 */ {NULL, NULL},
6411 /* 0xb6 */ {NULL, NULL},
6412 /* 0xb7 */ {NULL, NULL},
6413 /* 0xb8 */ {NULL, NULL},
6414 /* 0xb9 */ {NULL, NULL},
6415 /* 0xba */ {NULL, NULL},
6416 /* 0xbb */ {NULL, NULL},
6417 /* 0xbc */ {NULL, NULL},
6418 /* 0xbd */ {NULL, NULL},
6419 /* 0xbe */ {NULL, NULL},
6420 /* 0xbf */ {NULL, NULL},
6421 /* 0xc0 */ {NULL, NULL},
6422 /* 0xc1 */ {NULL, NULL},
6423 /* 0xc2 */ {NULL, NULL},
6424 /* 0xc3 */ {NULL, NULL},
6425 /* 0xc4 */ {NULL, NULL},
6426 /* 0xc5 */ {NULL, NULL},
6427 /* 0xc6 */ {NULL, NULL},
6428 /* 0xc7 */ {NULL, NULL},
6429 /* 0xc8 */ {NULL, NULL},
6430 /* 0xc9 */ {NULL, NULL},
6431 /* 0xca */ {NULL, NULL},
6432 /* 0xcb */ {NULL, NULL},
6433 /* 0xcc */ {NULL, NULL},
6434 /* 0xcd */ {NULL, NULL},
6435 /* 0xce */ {NULL, NULL},
6436 /* 0xcf */ {NULL, NULL},
6437 /* 0xd0 */ {NULL, NULL},
6438 /* 0xd1 */ {NULL, NULL},
6439 /* 0xd2 */ {NULL, NULL},
6440 /* 0xd3 */ {NULL, NULL},
6441 /* 0xd4 */ {NULL, NULL},
6442 /* 0xd5 */ {NULL, NULL},
6443 /* 0xd6 */ {NULL, NULL},
6444 /* 0xd7 */ {NULL, NULL},
6445 /* 0xd8 */ {NULL, NULL},
6446 /* 0xd9 */ {NULL, NULL},
6447 /* 0xda */ {NULL, NULL},
6448 /* 0xdb */ {NULL, NULL},
6449 /* 0xdc */ {NULL, NULL},
6450 /* 0xdd */ {NULL, NULL},
6451 /* 0xde */ {NULL, NULL},
6452 /* 0xdf */ {NULL, NULL},
6453 /* 0xe0 */ {NULL, NULL},
6454 /* 0xe1 */ {NULL, NULL},
6455 /* 0xe2 */ {NULL, NULL},
6456 /* 0xe3 */ {NULL, NULL},
6457 /* 0xe4 */ {NULL, NULL},
6458 /* 0xe5 */ {NULL, NULL},
6459 /* 0xe6 */ {NULL, NULL},
6460 /* 0xe7 */ {NULL, NULL},
6461 /* 0xe8 */ {NULL, NULL},
6462 /* 0xe9 */ {NULL, NULL},
6463 /* 0xea */ {NULL, NULL},
6464 /* 0xeb */ {NULL, NULL},
6465 /* 0xec */ {NULL, NULL},
6466 /* 0xed */ {NULL, NULL},
6467 /* 0xee */ {NULL, NULL},
6468 /* 0xef */ {NULL, NULL},
6469 /* 0xf0 */ {NULL, NULL},
6470 /* 0xf1 */ {NULL, NULL},
6471 /* 0xf2 */ {NULL, NULL},
6472 /* 0xf3 */ {NULL, NULL},
6473 /* 0xf4 */ {NULL, NULL},
6474 /* 0xf5 */ {NULL, NULL},
6475 /* 0xf6 */ {NULL, NULL},
6476 /* 0xf7 */ {NULL, NULL},
6477 /* 0xf8 */ {NULL, NULL},
6478 /* 0xf9 */ {NULL, NULL},
6479 /* 0xfa */ {NULL, NULL},
6480 /* 0xfb */ {NULL, NULL},
6481 /* 0xfc */ {NULL, NULL},
6482 /* 0xfd */ {NULL, NULL},
6483 /* 0xfe */ {NULL, NULL},
6484 /* 0xff */ {NULL, NULL},
6488 #define ENC_ALG_aes128_ccm 0x0001
6491 dissect_smb2_transform_header(packet_info *pinfo _U_, proto_tree *tree,
6492 tvbuff_t *tvb, int offset,
6493 smb2_transform_info_t *sti,
6494 tvbuff_t **enc_tvb, tvbuff_t **plain_tvb)
6496 proto_item *sesid_item = NULL;
6497 proto_tree *sesid_tree = NULL;
6498 smb2_sesid_info_t sesid_key;
6500 guint8 *plain_data = NULL;
6501 #ifdef HAVE_LIBGCRYPT
6502 guint8 *decryption_key = NULL;
6506 static const int *sf_fields[] = {
6507 &hf_smb2_encryption_aes128_ccm,
6515 proto_tree_add_item(tree, hf_smb2_transform_signature, tvb, offset, 16, ENC_NA);
6519 proto_tree_add_item(tree, hf_smb2_transform_nonce, tvb, offset, 16, ENC_NA);
6520 tvb_memcpy(tvb, sti->nonce, offset, 16);
6524 proto_tree_add_item(tree, hf_smb2_transform_msg_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6525 sti->size = tvb_get_letohl(tvb, offset);
6529 proto_tree_add_item(tree, hf_smb2_transform_reserved, tvb, offset, 2, ENC_NA);
6533 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_transform_enc_alg, ett_smb2_transform_enc_alg, sf_fields, ENC_LITTLE_ENDIAN);
6534 sti->alg = tvb_get_letohs(tvb, offset);
6538 sesid_offset = offset;
6539 sti->sesid = tvb_get_letoh64(tvb, offset);
6540 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6542 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
6546 /* now we need to first lookup the uid session */
6547 sesid_key.sesid = sti->sesid;
6548 sti->session = (smb2_sesid_info_t *)g_hash_table_lookup(sti->conv->sesids, &sesid_key);
6550 if (sti->session != NULL && sti->session->auth_frame != (guint32)-1) {
6551 item = proto_tree_add_string(sesid_tree, hf_smb2_acct_name, tvb, sesid_offset, 0, sti->session->acct_name);
6552 PROTO_ITEM_SET_GENERATED(item);
6553 proto_item_append_text(sesid_item, " Acct:%s", sti->session->acct_name);
6555 item = proto_tree_add_string(sesid_tree, hf_smb2_domain_name, tvb, sesid_offset, 0, sti->session->domain_name);
6556 PROTO_ITEM_SET_GENERATED(item);
6557 proto_item_append_text(sesid_item, " Domain:%s", sti->session->domain_name);
6559 item = proto_tree_add_string(sesid_tree, hf_smb2_host_name, tvb, sesid_offset, 0, sti->session->host_name);
6560 PROTO_ITEM_SET_GENERATED(item);
6561 proto_item_append_text(sesid_item, " Host:%s", sti->session->host_name);
6563 item = proto_tree_add_uint(sesid_tree, hf_smb2_auth_frame, tvb, sesid_offset, 0, sti->session->auth_frame);
6564 PROTO_ITEM_SET_GENERATED(item);
6567 #ifdef HAVE_LIBGCRYPT
6568 if (sti->session != NULL && sti->alg == ENC_ALG_aes128_ccm) {
6569 static const guint8 zeros[16];
6571 if (pinfo->destport == sti->session->server_port) {
6572 decryption_key = sti->session->server_decryption_key;
6574 decryption_key = sti->session->client_decryption_key;
6577 if (memcmp(decryption_key, zeros, 16) == 0) {
6578 decryption_key = NULL;
6582 if (decryption_key != NULL) {
6583 gcry_cipher_hd_t cipher_hd = NULL;
6585 3, 0, 0, 0, 0, 0, 0, 0,
6586 0, 0, 0, 0, 0, 0, 0, 1
6589 memcpy(&A_1[1], sti->nonce, 15 - 4);
6591 plain_data = (guint8 *)tvb_memdup(tvb, offset, sti->size);
6593 /* Open the cipher. */
6594 if (gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 0)) {
6597 goto done_decryption;
6600 /* Set the key and initial value. */
6601 if (gcry_cipher_setkey(cipher_hd, decryption_key, 16)) {
6602 gcry_cipher_close(cipher_hd);
6605 goto done_decryption;
6607 if (gcry_cipher_setctr(cipher_hd, A_1, 16)) {
6608 gcry_cipher_close(cipher_hd);
6611 goto done_decryption;
6614 if (gcry_cipher_encrypt(cipher_hd, plain_data, sti->size, NULL, 0)) {
6615 gcry_cipher_close(cipher_hd);
6618 goto done_decryption;
6621 /* Done with the cipher. */
6622 gcry_cipher_close(cipher_hd);
6626 *enc_tvb = tvb_new_subset(tvb, offset, sti->size, sti->size);
6628 if (plain_data != NULL) {
6629 *plain_tvb = tvb_new_child_real_data(*enc_tvb, plain_data, sti->size, sti->size);
6630 tvb_set_free_cb(*plain_tvb, g_free);
6631 add_new_data_source(pinfo, *plain_tvb, "Decrypted SMB3");
6634 offset += sti->size;
6639 dissect_smb2_command(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
6641 int (*cmd_dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
6642 proto_item *cmd_item;
6643 proto_tree *cmd_tree;
6644 int old_offset = offset;
6646 cmd_item = proto_tree_add_text(tree, tvb, offset, -1,
6648 decode_smb2_name(si->opcode),
6649 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request",
6651 cmd_tree = proto_item_add_subtree(cmd_item, ett_smb2_command);
6654 cmd_dissector = (si->flags & SMB2_FLAGS_RESPONSE)?
6655 smb2_dissector[si->opcode&0xff].response:
6656 smb2_dissector[si->opcode&0xff].request;
6657 if (cmd_dissector) {
6658 offset = (*cmd_dissector)(tvb, pinfo, cmd_tree, offset, si);
6660 proto_tree_add_item(cmd_tree, hf_smb2_unknown, tvb, offset, -1, ENC_NA);
6661 offset = tvb_length(tvb);
6664 proto_item_set_len(cmd_item, offset-old_offset);
6670 dissect_smb2_tid_sesid(packet_info *pinfo _U_, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
6672 proto_item *tid_item = NULL;
6673 proto_tree *tid_tree = NULL;
6674 smb2_tid_info_t tid_key;
6676 proto_item *sesid_item = NULL;
6677 proto_tree *sesid_tree = NULL;
6678 smb2_sesid_info_t sesid_key;
6684 if (si->flags&SMB2_FLAGS_ASYNC_CMD) {
6685 proto_tree_add_item(tree, hf_smb2_aid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6689 pid = tvb_get_letohl(tvb, offset);
6690 proto_tree_add_uint_format(tree, hf_smb2_pid, tvb, offset, 4, pid, "Process Id: %08x",pid);
6694 tid_offset = offset;
6695 si->tid = tvb_get_letohl(tvb, offset);
6696 tid_item = proto_tree_add_item(tree, hf_smb2_tid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6698 tid_tree = proto_item_add_subtree(tid_item, ett_smb2_tid_tree);
6704 sesid_offset = offset;
6705 si->sesid = tvb_get_letoh64(tvb, offset);
6706 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6708 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
6712 /* now we need to first lookup the uid session */
6713 sesid_key.sesid = si->sesid;
6714 si->session = (smb2_sesid_info_t *)g_hash_table_lookup(si->conv->sesids, &sesid_key);
6716 if (si->opcode != 0x03) return offset;
6718 /* if we come to a session that is unknown, and the operation is
6719 * a tree connect, we create a dummy sessison, so we can hang the
6722 si->session = se_new(smb2_sesid_info_t);
6723 si->session->sesid = si->sesid;
6724 si->session->acct_name = NULL;
6725 si->session->domain_name = NULL;
6726 si->session->host_name = NULL;
6727 si->session->auth_frame = (guint32)-1;
6728 si->session->tids = g_hash_table_new(smb2_tid_info_hash, smb2_tid_info_equal);
6729 g_hash_table_insert(si->conv->sesids, si->session, si->session);
6734 if (si->session->auth_frame != (guint32)-1) {
6735 item = proto_tree_add_string(sesid_tree, hf_smb2_acct_name, tvb, sesid_offset, 0, si->session->acct_name);
6736 PROTO_ITEM_SET_GENERATED(item);
6737 proto_item_append_text(sesid_item, " Acct:%s", si->session->acct_name);
6739 item = proto_tree_add_string(sesid_tree, hf_smb2_domain_name, tvb, sesid_offset, 0, si->session->domain_name);
6740 PROTO_ITEM_SET_GENERATED(item);
6741 proto_item_append_text(sesid_item, " Domain:%s", si->session->domain_name);
6743 item = proto_tree_add_string(sesid_tree, hf_smb2_host_name, tvb, sesid_offset, 0, si->session->host_name);
6744 PROTO_ITEM_SET_GENERATED(item);
6745 proto_item_append_text(sesid_item, " Host:%s", si->session->host_name);
6747 item = proto_tree_add_uint(sesid_tree, hf_smb2_auth_frame, tvb, sesid_offset, 0, si->session->auth_frame);
6748 PROTO_ITEM_SET_GENERATED(item);
6751 if (!(si->flags&SMB2_FLAGS_ASYNC_CMD)) {
6752 /* see if we can find the name for this tid */
6753 tid_key.tid = si->tid;
6754 si->tree = g_hash_table_lookup(si->session->tids, &tid_key);
6755 if (!si->tree) return offset;
6757 item = proto_tree_add_string(tid_tree, hf_smb2_tree, tvb, tid_offset, 4, si->tree->name);
6758 PROTO_ITEM_SET_GENERATED(item);
6759 proto_item_append_text(tid_item, " %s", si->tree->name);
6761 item = proto_tree_add_uint(tid_tree, hf_smb2_share_type, tvb, tid_offset, 0, si->tree->share_type);
6762 PROTO_ITEM_SET_GENERATED(item);
6764 item = proto_tree_add_uint(tid_tree, hf_smb2_tcon_frame, tvb, tid_offset, 0, si->tree->connect_frame);
6765 PROTO_ITEM_SET_GENERATED(item);
6772 dissect_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, gboolean first_in_chain)
6774 gboolean smb2_transform_header = FALSE;
6775 proto_item *seqnum_item;
6776 proto_item *item = NULL;
6777 proto_tree *tree = NULL;
6778 proto_item *header_item = NULL;
6779 proto_tree *header_tree = NULL;
6780 proto_item *flags_item = NULL;
6781 proto_tree *flags_tree = NULL;
6783 int chain_offset = 0;
6784 char* label = smb_header_label;
6785 conversation_t *conversation;
6786 smb2_saved_info_t *ssi = NULL, ssi_key;
6788 smb2_transform_info_t *sti;
6790 guint32 open_frame,close_frame;
6791 smb2_eo_file_info_t *eo_file_info;
6792 e_ctx_hnd *policy_hnd_hashtablekey;
6794 sti = ep_alloc(sizeof(smb2_transform_info_t));
6795 si = ep_alloc(sizeof(smb2_info_t));
6796 si->eo_file_info = NULL;
6800 si->top_tree = parent_tree;
6802 if (tvb_get_guint8(tvb, 0) == 0xfd) {
6803 smb2_transform_header = TRUE;
6804 label = smb_transform_header_label;
6806 /* find which conversation we are part of and get the data for that
6809 conversation = find_or_create_conversation(pinfo);
6810 si->conv = conversation_get_proto_data(conversation, proto_smb2);
6812 /* no smb2_into_t structure for this conversation yet,
6815 si->conv = se_alloc(sizeof(smb2_conv_info_t));
6816 /* qqq this leaks memory for now since we never free
6818 si->conv->matched = g_hash_table_new(smb2_saved_info_hash_matched,
6819 smb2_saved_info_equal_matched);
6820 si->conv->unmatched = g_hash_table_new(smb2_saved_info_hash_unmatched,
6821 smb2_saved_info_equal_unmatched);
6822 si->conv->sesids = g_hash_table_new(smb2_sesid_info_hash,
6823 smb2_sesid_info_equal);
6824 si->conv->files = g_hash_table_new(smb2_eo_files_hash,smb2_eo_files_equal);
6826 conversation_add_proto_data(conversation, proto_smb2, si->conv);
6829 sti->conv = si->conv;
6831 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB2");
6832 if (check_col(pinfo->cinfo, COL_INFO)) {
6833 if (first_in_chain) {
6835 col_clear(pinfo->cinfo, COL_INFO);
6837 col_append_str(pinfo->cinfo, COL_INFO, ";");
6842 item = proto_tree_add_item(parent_tree, proto_smb2, tvb, offset,
6844 tree = proto_item_add_subtree(item, ett_smb2);
6849 header_item = proto_tree_add_text(tree, tvb, offset, -1, "%s", label);
6850 header_tree = proto_item_add_subtree(header_item, ett_smb2_header);
6853 /* Decode the header */
6855 if (!smb2_transform_header) {
6857 proto_tree_add_text(header_tree, tvb, offset, 4, "Server Component: SMB2");
6860 /* we need the flags before we know how to parse the credits field */
6861 si->flags = tvb_get_letohl(tvb, offset+12);
6864 proto_tree_add_item(header_tree, hf_smb2_header_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6867 /* credit charge (previously "epoch" (unused) which has been deprecated as of "SMB 2.1") */
6868 proto_tree_add_item(header_tree, hf_smb2_credit_charge, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6872 if (si->flags & SMB2_FLAGS_RESPONSE) {
6873 si->status = tvb_get_letohl(tvb, offset);
6874 proto_tree_add_item(header_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6878 proto_tree_add_item(header_tree, hf_smb2_channel_sequence, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6880 proto_tree_add_item(header_tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6885 si->opcode = tvb_get_letohs(tvb, offset);
6886 proto_tree_add_item(header_tree, hf_smb2_cmd, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6890 if (si->flags & SMB2_FLAGS_RESPONSE) {
6891 proto_tree_add_item(header_tree, hf_smb2_credits_granted, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6893 proto_tree_add_item(header_tree, hf_smb2_credits_requested, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6899 flags_item = proto_tree_add_text(header_tree, tvb, offset, 4,
6900 "Flags: 0x%08x", si->flags);
6901 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_flags);
6903 proto_tree_add_boolean(flags_tree, hf_smb2_flags_replay_operation, tvb, offset, 4, si->flags);
6904 proto_tree_add_boolean(flags_tree, hf_smb2_flags_dfs_op, tvb, offset, 4, si->flags);
6905 proto_tree_add_boolean(flags_tree, hf_smb2_flags_signature, tvb, offset, 4, si->flags);
6906 proto_tree_add_boolean(flags_tree, hf_smb2_flags_chained, tvb, offset, 4, si->flags);
6907 proto_tree_add_boolean(flags_tree, hf_smb2_flags_async_cmd, tvb, offset, 4, si->flags);
6908 proto_tree_add_boolean(flags_tree, hf_smb2_flags_response, tvb, offset, 4, si->flags);
6913 chain_offset = tvb_get_letohl(tvb, offset);
6914 proto_tree_add_item(header_tree, hf_smb2_chain_offset, tvb, offset, 4, ENC_BIG_ENDIAN);
6917 /* command sequence number*/
6918 si->seqnum = tvb_get_letoh64(tvb, offset);
6919 ssi_key.seqnum = si->seqnum;
6920 seqnum_item = proto_tree_add_item(header_tree, hf_smb2_seqnum, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6921 if (seqnum_item && (si->seqnum == -1)) {
6922 proto_item_append_text(seqnum_item, " (unsolicited response)");
6926 /* Tree ID and Session ID */
6927 offset = dissect_smb2_tid_sesid(pinfo, header_tree, tvb, offset, si);
6930 proto_tree_add_item(header_tree, hf_smb2_signature, tvb, offset, 16, ENC_NA);
6933 proto_item_set_len(header_item, offset);
6936 if (check_col(pinfo->cinfo, COL_INFO)) {
6937 col_append_fstr(pinfo->cinfo, COL_INFO, "%s %s",
6938 decode_smb2_name(si->opcode),
6939 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request");
6942 pinfo->cinfo, COL_INFO, ", Error: %s",
6943 val_to_str(si->status, NT_errors,
6944 "Unknown (0x%08X)"));
6949 if (!pinfo->fd->flags.visited) {
6950 /* see if we can find this seqnum in the unmatched table */
6951 ssi = g_hash_table_lookup(si->conv->unmatched, &ssi_key);
6953 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
6954 /* This is a request */
6956 /* this is a request and we already found
6957 * an older ssi so just delete the previous
6960 g_hash_table_remove(si->conv->unmatched, ssi);
6965 /* no we couldnt find it, so just add it then
6966 * if was a request we are decoding
6968 ssi = se_alloc0(sizeof(smb2_saved_info_t));
6969 ssi->seqnum = ssi_key.seqnum;
6970 ssi->frame_req = pinfo->fd->num;
6971 ssi->req_time = pinfo->fd->abs_ts;
6972 ssi->extra_info_type = SMB2_EI_NONE;
6973 g_hash_table_insert(si->conv->unmatched, ssi, ssi);
6976 /* This is a response */
6978 /* just set the response frame and move it to the matched table */
6979 ssi->frame_res = pinfo->fd->num;
6980 g_hash_table_remove(si->conv->unmatched, ssi);
6981 g_hash_table_insert(si->conv->matched, ssi, ssi);
6985 /* see if we can find this seqnum in the matched table */
6986 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->matched, &ssi_key);
6987 /* if we couldnt find it in the matched table, it might still
6988 * be in the unmatched table
6991 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
6996 if (dcerpc_fetch_polhnd_data(&ssi->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->fd->num)) {
6997 /* If needed, create the file entry and save the policy hnd */
6998 if (!si->eo_file_info) {
7000 eo_file_info = (smb2_eo_file_info_t *)g_hash_table_lookup(si->conv->files,&ssi->policy_hnd);
7001 if (!eo_file_info) { /* XXX This should never happen */
7003 eo_file_info = se_new(smb2_eo_file_info_t);
7004 policy_hnd_hashtablekey = se_new(e_ctx_hnd);
7005 memcpy(policy_hnd_hashtablekey, &ssi->policy_hnd, sizeof(e_ctx_hnd));
7006 eo_file_info->end_of_file=0;
7007 g_hash_table_insert(si->conv->files,policy_hnd_hashtablekey,eo_file_info);
7009 si->eo_file_info=eo_file_info;
7014 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
7015 if (ssi->frame_res) {
7016 proto_item *tmp_item;
7017 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_in, tvb, 0, 0, ssi->frame_res);
7018 PROTO_ITEM_SET_GENERATED(tmp_item);
7021 if (ssi->frame_req) {
7022 proto_item *tmp_item;
7025 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_to, tvb, 0, 0, ssi->frame_req);
7026 PROTO_ITEM_SET_GENERATED(tmp_item);
7027 t = pinfo->fd->abs_ts;
7028 nstime_delta(&deltat, &t, &ssi->req_time);
7029 tmp_item = proto_tree_add_time(header_tree, hf_smb2_time, tvb,
7031 PROTO_ITEM_SET_GENERATED(tmp_item);
7035 /* if we dont have ssi yet we must fake it */
7039 tap_queue_packet(smb2_tap, pinfo, si);
7041 /* Decode the payload */
7042 offset = dissect_smb2_command(pinfo, tree, tvb, offset, si);
7044 proto_item *enc_item;
7045 proto_tree *enc_tree;
7046 tvbuff_t *enc_tvb = NULL;
7047 tvbuff_t *plain_tvb = NULL;
7049 /* SMB2_TRANSFORM marker */
7050 proto_tree_add_text(header_tree, tvb, offset, 4, "Server Component: SMB2_TRANSFORM");
7053 offset = dissect_smb2_transform_header(pinfo, header_tree, tvb, offset, sti,
7054 &enc_tvb, &plain_tvb);
7056 enc_item = proto_tree_add_text(tree, enc_tvb, 0, sti->size, "Encrypted SMB3 data");
7057 enc_tree = proto_item_add_subtree(enc_item, ett_smb2_encrypted);
7058 if (plain_tvb != NULL) {
7059 col_append_fstr(pinfo->cinfo, COL_INFO, "Decrypted SMB3");
7060 dissect_smb2(plain_tvb, pinfo, enc_tree, FALSE);
7062 col_append_fstr(pinfo->cinfo, COL_INFO, "Encrypted SMB3");
7063 proto_tree_add_item(enc_tree, hf_smb2_transform_encrypted_data,
7064 enc_tvb, 0, sti->size, ENC_NA);
7067 if (tvb_reported_length_remaining(tvb, offset) > 0) {
7068 chain_offset = offset;
7072 if (chain_offset > 0) {
7075 proto_item_set_len(item, chain_offset);
7077 next_tvb = tvb_new_subset_remaining(tvb, chain_offset);
7078 offset = dissect_smb2(next_tvb, pinfo, parent_tree, FALSE);
7085 dissect_smb2_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
7088 /* must check that this really is a smb2 packet */
7089 if (tvb_length(tvb) < 4)
7092 if (((tvb_get_guint8(tvb, 0) != 0xfe) && (tvb_get_guint8(tvb, 0) != 0xfd))
7093 || (tvb_get_guint8(tvb, 1) != 'S')
7094 || (tvb_get_guint8(tvb, 2) != 'M')
7095 || (tvb_get_guint8(tvb, 3) != 'B') ) {
7099 dissect_smb2(tvb, pinfo, parent_tree, TRUE);
7105 proto_register_smb2(void)
7107 module_t *smb2_module;
7108 static hf_register_info hf[] = {
7110 { "Command", "smb2.cmd", FT_UINT16, BASE_DEC|BASE_EXT_STRING,
7111 &smb2_cmd_vals_ext, 0, "SMB2 Command Opcode", HFILL }},
7112 { &hf_smb2_response_to,
7113 { "Response to", "smb2.response_to", FT_FRAMENUM, BASE_NONE,
7114 NULL, 0, "This packet is a response to the packet in this frame", HFILL }},
7115 { &hf_smb2_response_in,
7116 { "Response in", "smb2.response_in", FT_FRAMENUM, BASE_NONE,
7117 NULL, 0, "The response to this packet is in this packet", HFILL }},
7119 { "Time from request", "smb2.time", FT_RELATIVE_TIME, BASE_NONE,
7120 NULL, 0, "Time between Request and Response for SMB2 cmds", HFILL }},
7121 { &hf_smb2_header_len,
7122 { "Header Length", "smb2.header_len", FT_UINT16, BASE_DEC,
7123 NULL, 0, "SMB2 Size of Header", HFILL }},
7124 { &hf_smb2_nt_status,
7125 { "NT Status", "smb2.nt_status", FT_UINT32, BASE_HEX,
7126 VALS(NT_errors), 0, "NT Status code", HFILL }},
7128 { "Command Sequence Number", "smb2.seq_num", FT_INT64, BASE_DEC,
7129 NULL, 0, "SMB2 Command Sequence Number", HFILL }},
7131 { "Tree Id", "smb2.tid", FT_UINT32, BASE_HEX,
7132 NULL, 0, "SMB2 Tree Id", HFILL }},
7134 { "Async Id", "smb2.aid", FT_UINT64, BASE_HEX,
7135 NULL, 0, "SMB2 Async Id", HFILL }},
7137 { "Session Id", "smb2.sesid", FT_UINT64, BASE_HEX,
7138 NULL, 0, "SMB2 Session Id", HFILL }},
7139 { &hf_smb2_previous_sesid,
7140 { "Previous Session Id", "smb2.previous_sesid", FT_UINT64, BASE_HEX,
7141 NULL, 0, "SMB2 Previous Session Id", HFILL }},
7142 { &hf_smb2_chain_offset,
7143 { "Chain Offset", "smb2.chain_offset", FT_UINT32, BASE_HEX,
7144 NULL, 0, "SMB2 Chain Offset", HFILL }},
7145 { &hf_smb2_end_of_file,
7146 { "End Of File", "smb2.eof", FT_UINT64, BASE_DEC,
7147 NULL, 0, "SMB2 End Of File/File size", HFILL }},
7149 { "Number of Links", "smb2.nlinks", FT_UINT32, BASE_DEC,
7150 NULL, 0, "Number of links to this object", HFILL }},
7152 { "File Id", "smb2.file_id", FT_UINT64, BASE_HEX,
7153 NULL, 0, "SMB2 File Id", HFILL }},
7154 { &hf_smb2_allocation_size,
7155 { "Allocation Size", "smb2.allocation_size", FT_UINT64, BASE_DEC,
7156 NULL, 0, "SMB2 Allocation Size for this object", HFILL }},
7157 { &hf_smb2_max_response_size,
7158 { "Max Response Size", "smb2.max_response_size", FT_UINT32, BASE_DEC,
7159 NULL, 0, "SMB2 Maximum response size", HFILL }},
7160 { &hf_smb2_setinfo_size,
7161 { "Setinfo Size", "smb2.setinfo_size", FT_UINT32, BASE_DEC,
7162 NULL, 0, "SMB2 setinfo size", HFILL }},
7163 { &hf_smb2_setinfo_offset,
7164 { "Setinfo Offset", "smb2.setinfo_offset", FT_UINT16, BASE_HEX,
7165 NULL, 0, "SMB2 setinfo offset", HFILL }},
7166 { &hf_smb2_max_ioctl_out_size,
7167 { "Max Ioctl Out Size", "smb2.max_ioctl_out_size", FT_UINT32, BASE_DEC,
7168 NULL, 0, "SMB2 Maximum ioctl out size", HFILL }},
7169 { &hf_smb2_max_ioctl_in_size,
7170 { "Max Ioctl In Size", "smb2.max_ioctl_in_size", FT_UINT32, BASE_DEC,
7171 NULL, 0, "SMB2 Maximum ioctl out size", HFILL }},
7172 { &hf_smb2_required_buffer_size,
7173 { "Required Buffer Size", "smb2.required_size", FT_UINT32, BASE_DEC,
7174 NULL, 0, "SMB2 required buffer size", HFILL }},
7176 { "Process Id", "smb2.pid", FT_UINT32, BASE_HEX,
7177 NULL, 0, "SMB2 Process Id", HFILL }},
7178 { &hf_smb2_flags_response,
7179 { "Response", "smb2.flags.response", FT_BOOLEAN, 32,
7180 TFS(&tfs_flags_response), SMB2_FLAGS_RESPONSE, "Whether this is an SMB2 Request or Response", HFILL }},
7181 { &hf_smb2_flags_async_cmd,
7182 { "Async command", "smb2.flags.async", FT_BOOLEAN, 32,
7183 TFS(&tfs_flags_async_cmd), SMB2_FLAGS_ASYNC_CMD, NULL, HFILL }},
7184 { &hf_smb2_flags_dfs_op,
7185 { "DFS operation", "smb2.flags.dfs", FT_BOOLEAN, 32,
7186 TFS(&tfs_flags_dfs_op), SMB2_FLAGS_DFS_OP, NULL, HFILL }},
7187 { &hf_smb2_flags_chained,
7188 { "Chained", "smb2.flags.chained", FT_BOOLEAN, 32,
7189 TFS(&tfs_flags_chained), SMB2_FLAGS_CHAINED, "Whether the pdu continues a chain or not", HFILL }},
7190 { &hf_smb2_flags_signature,
7191 { "Signing", "smb2.flags.signature", FT_BOOLEAN, 32,
7192 TFS(&tfs_flags_signature), SMB2_FLAGS_SIGNATURE, "Whether the pdu is signed or not", HFILL }},
7193 { &hf_smb2_flags_replay_operation,
7194 { "Replay operation", "smb2.flags.replay", FT_BOOLEAN, 32,
7195 TFS(&tfs_flags_replay_operation), SMB2_FLAGS_REPLAY_OPERATION, "Whether this is a replay operation", HFILL }},
7197 { "Tree", "smb2.tree", FT_STRING, BASE_NONE,
7198 NULL, 0, "Name of the Tree/Share", HFILL }},
7199 { &hf_smb2_filename,
7200 { "Filename", "smb2.filename", FT_STRING, BASE_NONE,
7201 NULL, 0, "Name of the file", HFILL }},
7202 { &hf_smb2_filename_len,
7203 { "Filename Length", "smb2.filename.len", FT_UINT32, BASE_DEC,
7204 NULL, 0, "Length of the file name", HFILL }},
7206 { &hf_smb2_data_offset,
7207 { "Data Offset", "smb2.data_offset", FT_UINT16, BASE_HEX,
7208 NULL, 0, "Offset to data", HFILL }},
7210 { &hf_smb2_find_info_level,
7211 { "Info Level", "smb2.find.infolevel", FT_UINT32, BASE_DEC,
7212 VALS(smb2_find_info_levels), 0, "Find_Info Infolevel", HFILL }},
7213 { &hf_smb2_find_flags,
7214 { "Find Flags", "smb2.find.flags", FT_UINT8, BASE_HEX,
7215 NULL, 0, NULL, HFILL }},
7217 { &hf_smb2_find_pattern,
7218 { "Search Pattern", "smb2.find.pattern", FT_STRING, BASE_NONE,
7219 NULL, 0, "Find pattern", HFILL }},
7221 { &hf_smb2_find_info_blob,
7222 { "Info", "smb2.find.info_blob", FT_BYTES, BASE_NONE,
7223 NULL, 0, "Find Info", HFILL }},
7226 { "EA Size", "smb2.ea_size", FT_UINT32, BASE_DEC,
7227 NULL, 0, "Size of EA data", HFILL }},
7230 { "Class", "smb2.class", FT_UINT8, BASE_HEX,
7231 VALS(smb2_class_vals), 0, "Info class", HFILL }},
7233 { &hf_smb2_infolevel,
7234 { "InfoLevel", "smb2.infolevel", FT_UINT8, BASE_HEX,
7235 NULL, 0, NULL, HFILL }},
7237 { &hf_smb2_infolevel_file_info,
7238 { "InfoLevel", "smb2.file_info.infolevel", FT_UINT8, BASE_HEX,
7239 VALS(smb2_file_info_levels), 0, "File_Info Infolevel", HFILL }},
7241 { &hf_smb2_infolevel_fs_info,
7242 { "InfoLevel", "smb2.fs_info.infolevel", FT_UINT8, BASE_HEX,
7243 VALS(smb2_fs_info_levels), 0, "Fs_Info Infolevel", HFILL }},
7245 { &hf_smb2_infolevel_sec_info,
7246 { "InfoLevel", "smb2.sec_info.infolevel", FT_UINT8, BASE_HEX,
7247 VALS(smb2_sec_info_levels), 0, "Sec_Info Infolevel", HFILL }},
7249 { &hf_smb2_write_length,
7250 { "Write Length", "smb2.write_length", FT_UINT32, BASE_DEC,
7251 NULL, 0, "Amount of data to write", HFILL }},
7253 { &hf_smb2_read_length,
7254 { "Read Length", "smb2.read_length", FT_UINT32, BASE_DEC,
7255 NULL, 0, "Amount of data to read", HFILL }},
7257 { &hf_smb2_read_remaining,
7258 { "Read Remaining", "smb2.read_remaining", FT_UINT32, BASE_DEC,
7259 NULL, 0, NULL, HFILL }},
7261 { &hf_smb2_create_flags,
7262 { "Create Flags", "smb2.create_flags", FT_UINT64, BASE_HEX,
7263 NULL, 0, NULL, HFILL }},
7265 { &hf_smb2_file_offset,
7266 { "File Offset", "smb2.file_offset", FT_UINT64, BASE_DEC,
7267 NULL, 0, NULL, HFILL }},
7269 { &hf_smb2_security_blob,
7270 { "Security Blob", "smb2.security_blob", FT_BYTES, BASE_NONE,
7271 NULL, 0, NULL, HFILL }},
7273 { &hf_smb2_ioctl_out_data,
7274 { "Out Data", "smb2.ioctl.out", FT_NONE, BASE_NONE,
7275 NULL, 0, "Ioctl Out", HFILL }},
7277 { &hf_smb2_ioctl_in_data,
7278 { "In Data", "smb2.ioctl.in", FT_NONE, BASE_NONE,
7279 NULL, 0, "Ioctl In", HFILL }},
7281 { &hf_smb2_server_guid,
7282 { "Server Guid", "smb2.server_guid", FT_GUID, BASE_NONE,
7283 NULL, 0, NULL, HFILL }},
7285 { &hf_smb2_client_guid,
7286 { "Client Guid", "smb2.client_guid", FT_GUID, BASE_NONE,
7287 NULL, 0, NULL, HFILL }},
7289 { &hf_smb2_object_id,
7290 { "ObjectId", "smb2.object_id", FT_GUID, BASE_NONE,
7291 NULL, 0, "ObjectID for this FID", HFILL }},
7293 { &hf_smb2_birth_volume_id,
7294 { "BirthVolumeId", "smb2.birth_volume_id", FT_GUID, BASE_NONE,
7295 NULL, 0, "ObjectID for the volume where this FID was originally created", HFILL }},
7297 { &hf_smb2_birth_object_id,
7298 { "BirthObjectId", "smb2.birth_object_id", FT_GUID, BASE_NONE,
7299 NULL, 0, "ObjectID for this FID when it was originally created", HFILL }},
7301 { &hf_smb2_domain_id,
7302 { "DomainId", "smb2.domain_id", FT_GUID, BASE_NONE,
7303 NULL, 0, NULL, HFILL }},
7305 { &hf_smb2_create_timestamp,
7306 { "Create", "smb2.create.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7307 NULL, 0, "Time when this object was created", HFILL }},
7310 { "File Id", "smb2.fid", FT_GUID, BASE_NONE,
7311 NULL, 0, "SMB2 File Id", HFILL }},
7313 { &hf_smb2_write_data,
7314 { "Write Data", "smb2.write_data", FT_BYTES, BASE_NONE,
7315 NULL, 0, "SMB2 Data to be written", HFILL }},
7317 { &hf_smb2_write_flags,
7318 { "Write Flags", "smb2.write.flags", FT_UINT32, BASE_HEX,
7319 NULL, 0, NULL, HFILL }},
7321 { &hf_smb2_write_flags_write_through,
7322 { "Write through", "smb2.write.flags.write_through", FT_BOOLEAN, 32,
7323 NULL, SMB2_WRITE_FLAG_WRITE_THROUGH, NULL, HFILL }},
7325 { &hf_smb2_write_count,
7326 { "Write Count", "smb2.write.count", FT_UINT32, BASE_DEC,
7327 NULL, 0, NULL, HFILL }},
7329 { &hf_smb2_write_remaining,
7330 { "Write Remaining", "smb2.write.remaining", FT_UINT32, BASE_DEC,
7331 NULL, 0, NULL, HFILL }},
7333 { &hf_smb2_read_data,
7334 { "Read Data", "smb2.read_data", FT_BYTES, BASE_NONE,
7335 NULL, 0, "SMB2 Data that is read", HFILL }},
7337 { &hf_smb2_last_access_timestamp,
7338 { "Last Access", "smb2.last_access.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7339 NULL, 0, "Time when this object was last accessed", HFILL }},
7341 { &hf_smb2_last_write_timestamp,
7342 { "Last Write", "smb2.last_write.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7343 NULL, 0, "Time when this object was last written to", HFILL }},
7345 { &hf_smb2_last_change_timestamp,
7346 { "Last Change", "smb2.last_change.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7347 NULL, 0, "Time when this object was last changed", HFILL }},
7349 { &hf_smb2_file_all_info,
7350 { "SMB2_FILE_ALL_INFO", "smb2.file_all_info", FT_NONE, BASE_NONE,
7351 NULL, 0, "SMB2_FILE_ALL_INFO structure", HFILL }},
7353 { &hf_smb2_file_allocation_info,
7354 { "SMB2_FILE_ALLOCATION_INFO", "smb2.file_allocation_info", FT_NONE, BASE_NONE,
7355 NULL, 0, "SMB2_FILE_ALLOCATION_INFO structure", HFILL }},
7357 { &hf_smb2_file_endoffile_info,
7358 { "SMB2_FILE_ENDOFFILE_INFO", "smb2.file_endoffile_info", FT_NONE, BASE_NONE,
7359 NULL, 0, "SMB2_FILE_ENDOFFILE_INFO structure", HFILL }},
7361 { &hf_smb2_file_alternate_name_info,
7362 { "SMB2_FILE_ALTERNATE_NAME_INFO", "smb2.file_alternate_name_info", FT_NONE, BASE_NONE,
7363 NULL, 0, "SMB2_FILE_ALTERNATE_NAME_INFO structure", HFILL }},
7365 { &hf_smb2_file_stream_info,
7366 { "SMB2_FILE_STREAM_INFO", "smb2.file_stream_info", FT_NONE, BASE_NONE,
7367 NULL, 0, "SMB2_FILE_STREAM_INFO structure", HFILL }},
7369 { &hf_smb2_file_pipe_info,
7370 { "SMB2_FILE_PIPE_INFO", "smb2.file_pipe_info", FT_NONE, BASE_NONE,
7371 NULL, 0, "SMB2_FILE_PIPE_INFO structure", HFILL }},
7373 { &hf_smb2_file_compression_info,
7374 { "SMB2_FILE_COMPRESSION_INFO", "smb2.file_compression_info", FT_NONE, BASE_NONE,
7375 NULL, 0, "SMB2_FILE_COMPRESSION_INFO structure", HFILL }},
7377 { &hf_smb2_file_basic_info,
7378 { "SMB2_FILE_BASIC_INFO", "smb2.file_basic_info", FT_NONE, BASE_NONE,
7379 NULL, 0, "SMB2_FILE_BASIC_INFO structure", HFILL }},
7381 { &hf_smb2_file_standard_info,
7382 { "SMB2_FILE_STANDARD_INFO", "smb2.file_standard_info", FT_NONE, BASE_NONE,
7383 NULL, 0, "SMB2_FILE_STANDARD_INFO structure", HFILL }},
7385 { &hf_smb2_file_internal_info,
7386 { "SMB2_FILE_INTERNAL_INFO", "smb2.file_internal_info", FT_NONE, BASE_NONE,
7387 NULL, 0, "SMB2_FILE_INTERNAL_INFO structure", HFILL }},
7389 { &hf_smb2_file_mode_info,
7390 { "SMB2_FILE_MODE_INFO", "smb2.file_mode_info", FT_NONE, BASE_NONE,
7391 NULL, 0, "SMB2_FILE_MODE_INFO structure", HFILL }},
7393 { &hf_smb2_file_alignment_info,
7394 { "SMB2_FILE_ALIGNMENT_INFO", "smb2.file_alignment_info", FT_NONE, BASE_NONE,
7395 NULL, 0, "SMB2_FILE_ALIGNMENT_INFO structure", HFILL }},
7397 { &hf_smb2_file_position_info,
7398 { "SMB2_FILE_POSITION_INFO", "smb2.file_position_info", FT_NONE, BASE_NONE,
7399 NULL, 0, "SMB2_FILE_POSITION_INFO structure", HFILL }},
7401 { &hf_smb2_file_access_info,
7402 { "SMB2_FILE_ACCESS_INFO", "smb2.file_access_info", FT_NONE, BASE_NONE,
7403 NULL, 0, "SMB2_FILE_ACCESS_INFO structure", HFILL }},
7405 { &hf_smb2_file_ea_info,
7406 { "SMB2_FILE_EA_INFO", "smb2.file_ea_info", FT_NONE, BASE_NONE,
7407 NULL, 0, "SMB2_FILE_EA_INFO structure", HFILL }},
7409 { &hf_smb2_file_network_open_info,
7410 { "SMB2_FILE_NETWORK_OPEN_INFO", "smb2.file_network_open_info", FT_NONE, BASE_NONE,
7411 NULL, 0, "SMB2_FILE_NETWORK_OPEN_INFO structure", HFILL }},
7413 { &hf_smb2_file_attribute_tag_info,
7414 { "SMB2_FILE_ATTRIBUTE_TAG_INFO", "smb2.file_attribute_tag_info", FT_NONE, BASE_NONE,
7415 NULL, 0, "SMB2_FILE_ATTRIBUTE_TAG_INFO structure", HFILL }},
7417 { &hf_smb2_file_disposition_info,
7418 { "SMB2_FILE_DISPOSITION_INFO", "smb2.file_disposition_info", FT_NONE, BASE_NONE,
7419 NULL, 0, "SMB2_FILE_DISPOSITION_INFO structure", HFILL }},
7421 { &hf_smb2_file_full_ea_info,
7422 { "SMB2_FILE_FULL_EA_INFO", "smb2.file_full_ea_info", FT_NONE, BASE_NONE,
7423 NULL, 0, "SMB2_FILE_FULL_EA_INFO structure", HFILL }},
7425 { &hf_smb2_file_rename_info,
7426 { "SMB2_FILE_RENAME_INFO", "smb2.file_rename_info", FT_NONE, BASE_NONE,
7427 NULL, 0, "SMB2_FILE_RENAME_INFO structure", HFILL }},
7429 { &hf_smb2_fs_info_01,
7430 { "SMB2_FS_INFO_01", "smb2.fs_info_01", FT_NONE, BASE_NONE,
7431 NULL, 0, "SMB2_FS_INFO_01 structure", HFILL }},
7433 { &hf_smb2_fs_info_03,
7434 { "SMB2_FS_INFO_03", "smb2.fs_info_03", FT_NONE, BASE_NONE,
7435 NULL, 0, "SMB2_FS_INFO_03 structure", HFILL }},
7437 { &hf_smb2_fs_info_04,
7438 { "SMB2_FS_INFO_04", "smb2.fs_info_04", FT_NONE, BASE_NONE,
7439 NULL, 0, "SMB2_FS_INFO_04 structure", HFILL }},
7441 { &hf_smb2_fs_info_05,
7442 { "SMB2_FS_INFO_05", "smb2.fs_info_05", FT_NONE, BASE_NONE,
7443 NULL, 0, "SMB2_FS_INFO_05 structure", HFILL }},
7445 { &hf_smb2_fs_info_06,
7446 { "SMB2_FS_INFO_06", "smb2.fs_info_06", FT_NONE, BASE_NONE,
7447 NULL, 0, "SMB2_FS_INFO_06 structure", HFILL }},
7449 { &hf_smb2_fs_info_07,
7450 { "SMB2_FS_INFO_07", "smb2.fs_info_07", FT_NONE, BASE_NONE,
7451 NULL, 0, "SMB2_FS_INFO_07 structure", HFILL }},
7453 { &hf_smb2_fs_objectid_info,
7454 { "SMB2_FS_OBJECTID_INFO", "smb2.fs_objectid_info", FT_NONE, BASE_NONE,
7455 NULL, 0, "SMB2_FS_OBJECTID_INFO structure", HFILL }},
7457 { &hf_smb2_sec_info_00,
7458 { "SMB2_SEC_INFO_00", "smb2.sec_info_00", FT_NONE, BASE_NONE,
7459 NULL, 0, "SMB2_SEC_INFO_00 structure", HFILL }},
7461 { &hf_smb2_disposition_delete_on_close,
7462 { "Delete on close", "smb2.disposition.delete_on_close", FT_BOOLEAN, 8,
7463 TFS(&tfs_disposition_delete_on_close), 0x01, NULL, HFILL }},
7466 { &hf_smb2_create_disposition,
7467 { "Disposition", "smb2.create.disposition", FT_UINT32, BASE_DEC,
7468 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
7470 { &hf_smb2_create_action,
7471 { "Create Action", "smb2.create.action", FT_UINT32, BASE_DEC,
7472 VALS(oa_open_vals), 0, NULL, HFILL }},
7474 { &hf_smb2_create_rep_flags,
7475 { "Response Flags", "smb2.create.rep_flags", FT_UINT8, BASE_HEX,
7476 NULL, 0, NULL, HFILL }},
7478 { &hf_smb2_create_rep_flags_reparse_point,
7479 { "ReparsePoint", "smb2.create.rep_flags.reparse_point", FT_BOOLEAN, 8,
7480 NULL, SMB2_CREATE_REP_FLAGS_REPARSE_POINT, NULL, HFILL }},
7482 { &hf_smb2_extrainfo,
7483 { "ExtraInfo", "smb2.create.extrainfo", FT_NONE, BASE_NONE,
7484 NULL, 0, "Create ExtraInfo", HFILL }},
7486 { &hf_smb2_create_chain_offset,
7487 { "Chain Offset", "smb2.create.chain_offset", FT_UINT32, BASE_HEX,
7488 NULL, 0, "Offset to next entry in chain or 0", HFILL }},
7490 { &hf_smb2_create_chain_data,
7491 { "Data", "smb2.create.chain_data", FT_NONE, BASE_NONE,
7492 NULL, 0, "Chain Data", HFILL }},
7494 { &hf_smb2_FILE_OBJECTID_BUFFER,
7495 { "FILE_OBJECTID_BUFFER", "smb2.FILE_OBJECTID_BUFFER", FT_NONE, BASE_NONE,
7496 NULL, 0, "A FILE_OBJECTID_BUFFER structure", HFILL }},
7498 { &hf_smb2_lease_key,
7499 { "Lease Key", "smb2.lease.lease_key", FT_GUID, BASE_NONE,
7500 NULL, 0, NULL, HFILL }},
7502 { &hf_smb2_lease_state,
7503 { "Lease State", "smb2.lease.lease_state", FT_UINT32, BASE_HEX,
7504 NULL, 0, NULL, HFILL }},
7506 { &hf_smb2_lease_state_read_caching,
7507 { "Read Caching", "smb2.lease.lease_state.read_caching", FT_BOOLEAN, 32,
7508 NULL, SMB2_LEASE_STATE_READ_CACHING, NULL, HFILL }},
7510 { &hf_smb2_lease_state_handle_caching,
7511 { "Handle Caching", "smb2.lease.lease_state.handle_caching", FT_BOOLEAN, 32,
7512 NULL, SMB2_LEASE_STATE_HANDLE_CACHING, NULL, HFILL }},
7514 { &hf_smb2_lease_state_write_caching,
7515 { "Write Caching", "smb2.lease.lease_state.write_caching", FT_BOOLEAN, 32,
7516 NULL, SMB2_LEASE_STATE_WRITE_CACHING, NULL, HFILL }},
7518 { &hf_smb2_lease_flags,
7519 { "Lease Flags", "smb2.lease.lease_flags", FT_UINT32, BASE_HEX,
7520 NULL, 0, NULL, HFILL }},
7522 { &hf_smb2_lease_flags_break_ack_required,
7523 { "Break Ack Required", "smb2.lease.lease_state.break_ack_required", FT_BOOLEAN, 32,
7524 NULL, SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED, NULL, HFILL }},
7526 { &hf_smb2_lease_flags_break_in_progress,
7527 { "Break In Progress", "smb2.lease.lease_state.break_in_progress", FT_BOOLEAN, 32,
7528 NULL, SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS, NULL, HFILL }},
7530 { &hf_smb2_lease_flags_parent_lease_key_set,
7531 { "Parent Lease Key Set", "smb2.lease.lease_state.parent_lease_key_set", FT_BOOLEAN, 32,
7532 NULL, SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET, NULL, HFILL }},
7534 { &hf_smb2_lease_duration,
7535 { "Lease Duration", "smb2.lease.lease_duration", FT_UINT64, BASE_HEX,
7536 NULL, 0, NULL, HFILL }},
7538 { &hf_smb2_parent_lease_key,
7539 { "Parent Lease Key", "smb2.lease.parent_lease_key", FT_GUID, BASE_NONE,
7540 NULL, 0, NULL, HFILL }},
7542 { &hf_smb2_lease_epoch,
7543 { "Lease Epoch", "smb2.lease.lease_oplock", FT_UINT32, BASE_HEX,
7544 NULL, 0, NULL, HFILL }},
7546 { &hf_smb2_lease_break_reason,
7547 { "Lease Break Reason", "smb2.lease.lease_break_reason", FT_UINT32, BASE_HEX,
7548 NULL, 0, NULL, HFILL }},
7550 { &hf_smb2_lease_access_mask_hint,
7551 { "Access Mask Hint", "smb2.lease.access_mask_hint", FT_UINT32, BASE_HEX,
7552 NULL, 0, NULL, HFILL }},
7554 { &hf_smb2_lease_share_mask_hint,
7555 { "Share Mask Hint", "smb2.lease.share_mask_hint", FT_UINT32, BASE_HEX,
7556 NULL, 0, NULL, HFILL }},
7558 { &hf_smb2_next_offset,
7559 { "Next Offset", "smb2.next_offset", FT_UINT32, BASE_DEC,
7560 NULL, 0, "Offset to next buffer or 0", HFILL }},
7562 { &hf_smb2_current_time,
7563 { "Current Time", "smb2.current_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7564 NULL, 0, "Current Time at server", HFILL }},
7566 { &hf_smb2_boot_time,
7567 { "Boot Time", "smb2.boot_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7568 NULL, 0, "Boot Time at server", HFILL }},
7570 { &hf_smb2_ea_flags,
7571 { "EA Flags", "smb2.ea.flags", FT_UINT8, BASE_HEX,
7572 NULL, 0, NULL, HFILL }},
7574 { &hf_smb2_ea_name_len,
7575 { "EA Name Length", "smb2.ea.name_len", FT_UINT8, BASE_DEC,
7576 NULL, 0, NULL, HFILL }},
7578 { &hf_smb2_ea_data_len,
7579 { "EA Data Length", "smb2.ea.data_len", FT_UINT8, BASE_DEC,
7580 NULL, 0, NULL, HFILL }},
7582 { &hf_smb2_delete_pending,
7583 { "Delete Pending", "smb2.delete_pending", FT_UINT8, BASE_DEC,
7584 NULL, 0, NULL, HFILL }},
7586 { &hf_smb2_is_directory,
7587 { "Is Directory", "smb2.is_directory", FT_UINT8, BASE_DEC,
7588 NULL, 0, "Is this a directory?", HFILL }},
7591 { "Oplock", "smb2.create.oplock", FT_UINT8, BASE_HEX,
7592 VALS(oplock_vals), 0, "Oplock type", HFILL }},
7594 { &hf_smb2_close_flags,
7595 { "Close Flags", "smb2.close.flags", FT_UINT16, BASE_HEX,
7596 NULL, 0, NULL, HFILL }},
7598 { &hf_smb2_notify_flags,
7599 { "Notify Flags", "smb2.notify.flags", FT_UINT16, BASE_HEX,
7600 NULL, 0, NULL, HFILL }},
7602 { &hf_smb2_buffer_code,
7603 { "StructureSize", "smb2.buffer_code", FT_UINT16, BASE_HEX,
7604 NULL, 0, NULL, HFILL }},
7606 { &hf_smb2_buffer_code_len,
7607 { "Fixed Part Length", "smb2.buffer_code.length", FT_UINT16, BASE_DEC,
7608 NULL, 0, "Length of fixed portion of PDU", HFILL }},
7610 { &hf_smb2_olb_length,
7611 { "Length", "smb2.olb.length", FT_UINT32, BASE_DEC,
7612 NULL, 0, "Length of the buffer", HFILL }},
7614 { &hf_smb2_olb_offset,
7615 { "Offset", "smb2.olb.offset", FT_UINT32, BASE_HEX,
7616 NULL, 0, "Offset to the buffer", HFILL }},
7618 { &hf_smb2_buffer_code_flags_dyn,
7619 { "Dynamic Part", "smb2.buffer_code.dynamic", FT_BOOLEAN, 16,
7620 NULL, 0x0001, "Whether a dynamic length blob follows", HFILL }},
7623 { "EA Data", "smb2.ea.data", FT_BYTES, BASE_NONE,
7624 NULL, 0, NULL, HFILL }},
7627 { "EA Name", "smb2.ea.name", FT_STRING, BASE_NONE,
7628 NULL, 0, NULL, HFILL }},
7630 { &hf_smb2_impersonation_level,
7631 { "Impersonation", "smb2.impersonation.level", FT_UINT32, BASE_DEC,
7632 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
7634 { &hf_smb2_ioctl_function,
7635 { "Function", "smb2.ioctl.function", FT_UINT32, BASE_HEX,
7636 VALS(smb2_ioctl_vals), 0, "Ioctl function", HFILL }},
7638 { &hf_smb2_ioctl_function_device,
7639 { "Device", "smb2.ioctl.function.device", FT_UINT32, BASE_HEX,
7640 VALS(smb2_ioctl_device_vals), 0xffff0000, "Device for Ioctl", HFILL }},
7642 { &hf_smb2_ioctl_function_access,
7643 { "Access", "smb2.ioctl.function.access", FT_UINT32, BASE_HEX,
7644 VALS(smb2_ioctl_access_vals), 0x0000c000, "Access for Ioctl", HFILL }},
7646 { &hf_smb2_ioctl_function_function,
7647 { "Function", "smb2.ioctl.function.function", FT_UINT32, BASE_HEX,
7648 NULL, 0x00003ffc, "Function for Ioctl", HFILL }},
7650 { &hf_smb2_ioctl_function_method,
7651 { "Method", "smb2.ioctl.function.method", FT_UINT32, BASE_HEX,
7652 VALS(smb2_ioctl_method_vals), 0x00000003, "Method for Ioctl", HFILL }},
7654 { &hf_smb2_ioctl_resiliency_timeout,
7655 { "Timeout", "smb2.ioctl.resiliency.timeout", FT_UINT32, BASE_DEC,
7656 NULL, 0, "Resiliency timeout", HFILL }},
7658 { &hf_smb2_ioctl_resiliency_reserved,
7659 { "Reserved", "smb2.ioctl.resiliency.reserved", FT_UINT32, BASE_DEC,
7660 NULL, 0, "Resiliency reserved", HFILL }},
7662 { &hf_windows_sockaddr_family,
7663 { "Socket Family", "smb2.windows.sockaddr.family", FT_UINT16, BASE_DEC,
7664 NULL, 0, "The socket address family (on windows)", HFILL }},
7666 { &hf_windows_sockaddr_port,
7667 { "Socket Port", "smb2.windows.sockaddr.port", FT_UINT16, BASE_DEC,
7668 NULL, 0, "The socket address port", HFILL }},
7670 { &hf_windows_sockaddr_in_addr,
7671 { "Socket IPv4", "smb2.windows.sockaddr.in.addr", FT_IPv4, BASE_NONE,
7672 NULL, 0, "The IPv4 address", HFILL }},
7674 { &hf_windows_sockaddr_in6_flowinfo,
7675 { "IPv6 Flow Info", "smb2.windows.sockaddr.in6.flow_info", FT_UINT32, BASE_HEX,
7676 NULL, 0, "The socket IPv6 flow info", HFILL }},
7678 { &hf_windows_sockaddr_in6_addr,
7679 { "Socket IPv6", "smb2.windows.sockaddr.in6.addr", FT_IPv6, BASE_NONE,
7680 NULL, 0, "The IPv6 address", HFILL }},
7682 { &hf_windows_sockaddr_in6_scope_id,
7683 { "IPv6 Scope ID", "smb2.windows.sockaddr.in6.scope_id", FT_UINT32, BASE_DEC,
7684 NULL, 0, "The socket IPv6 scope id", HFILL }},
7686 { &hf_smb2_ioctl_network_interface_next_offset,
7687 { "Next Offset", "smb2.ioctl.network_interfaces.next_offset", FT_UINT32, BASE_HEX,
7688 NULL, 0, "Offset to next entry in chain or 0", HFILL }},
7690 { &hf_smb2_ioctl_network_interface_index,
7691 { "Interface Index", "smb2.ioctl.network_interfaces.index", FT_UINT32, BASE_DEC,
7692 NULL, 0, "The index of the interface", HFILL }},
7694 { &hf_smb2_ioctl_network_interface_rss_queue_count,
7695 { "RSS Queue Count", "smb2.ioctl.network_interfaces.rss_queue_count", FT_UINT32, BASE_DEC,
7696 NULL, 0, "The RSS queue count", HFILL }},
7698 { &hf_smb2_ioctl_network_interface_capabilities,
7699 { "Interface Cababilities", "smb2.ioctl.network_interfaces.capabilities", FT_UINT32, BASE_HEX,
7700 NULL, 0, "The RSS queue count", HFILL }},
7702 { &hf_smb2_ioctl_network_interface_capability_rss,
7703 { "RSS", "smb2.ioctl.network_interfaces.capabilities.rss", FT_BOOLEAN, 32,
7704 TFS(&tfs_smb2_ioctl_network_interface_capability_rss),
7705 NETWORK_INTERFACE_CAP_RSS, "If the host supports RSS", HFILL }},
7707 { &hf_smb2_ioctl_network_interface_capability_rdma,
7708 { "RMDA", "smb2.ioctl.network_interfaces.capabilities.rdma", FT_BOOLEAN, 32,
7709 TFS(&tfs_smb2_ioctl_network_interface_capability_rdma),
7710 NETWORK_INTERFACE_CAP_RMDA, "If the host supports RDMA", HFILL }},
7712 { &hf_smb2_ioctl_network_interface_link_speed,
7713 { "Link Speed", "smb2.ioctl.network_interfaces.link_speed", FT_UINT64, BASE_DEC,
7714 NULL, 0, "The link speed of the interface", HFILL }},
7716 { &hf_smb2_ioctl_shadow_copy_num_volumes,
7717 { "Num Volumes", "smb2.ioctl.shadow_copy.num_volumes", FT_UINT32, BASE_DEC,
7718 NULL, 0, "Number of shadow copy volumes", HFILL }},
7720 { &hf_smb2_ioctl_shadow_copy_num_labels,
7721 { "Num Labels", "smb2.ioctl.shadow_copy.num_labels", FT_UINT32, BASE_DEC,
7722 NULL, 0, "Number of shadow copy labels", HFILL }},
7724 { &hf_smb2_ioctl_shadow_copy_label,
7725 { "Label", "smb2.ioctl.shadow_copy.label", FT_STRING, BASE_NONE,
7726 NULL, 0, "Shadow copy label", HFILL }},
7728 { &hf_smb2_compression_format,
7729 { "Compression Format", "smb2.compression_format", FT_UINT16, BASE_DEC,
7730 VALS(compression_format_vals), 0, "Compression to use", HFILL }},
7732 { &hf_smb2_share_type,
7733 { "Share Type", "smb2.share_type", FT_UINT8, BASE_HEX,
7734 VALS(smb2_share_type_vals), 0, "Type of share", HFILL }},
7736 { &hf_smb2_credit_charge,
7737 { "Credit Charge", "smb2.credit.charge", FT_UINT16, BASE_DEC,
7738 NULL, 0, NULL, HFILL }},
7740 { &hf_smb2_credits_requested,
7741 { "Credits requested", "smb2.credits.requested", FT_UINT16, BASE_DEC,
7742 NULL, 0, NULL, HFILL }},
7744 { &hf_smb2_credits_granted,
7745 { "Credits granted", "smb2.credits.granted", FT_UINT16, BASE_DEC,
7746 NULL, 0, NULL, HFILL }},
7748 { &hf_smb2_channel_sequence,
7749 { "Channel Sequence", "smb2.channel_sequence", FT_UINT16, BASE_DEC,
7750 NULL, 0, NULL, HFILL }},
7752 { &hf_smb2_dialect_count,
7753 { "Dialect count", "smb2.dialect_count", FT_UINT16, BASE_DEC,
7754 NULL, 0, NULL, HFILL }},
7757 { "Dialect", "smb2.dialect", FT_UINT16, BASE_HEX,
7758 NULL, 0, NULL, HFILL }},
7760 { &hf_smb2_security_mode,
7761 { "Security mode", "smb2.sec_mode", FT_UINT8, BASE_HEX,
7762 NULL, 0, NULL, HFILL }},
7764 { &hf_smb2_session_flags,
7765 { "Session Flags", "smb2.session_flags", FT_UINT16, BASE_HEX,
7766 NULL, 0, NULL, HFILL }},
7768 { &hf_smb2_lock_count,
7769 { "Lock Count", "smb2.lock_count", FT_UINT16, BASE_DEC,
7770 NULL, 0, NULL, HFILL }},
7772 { &hf_smb2_capabilities,
7773 { "Capabilities", "smb2.capabilities", FT_UINT32, BASE_HEX,
7774 NULL, 0, NULL, HFILL }},
7776 { &hf_smb2_ioctl_shadow_copy_count,
7777 { "Count", "smb2.ioctl.shadow_copy.count", FT_UINT32, BASE_DEC,
7778 NULL, 0, "Number of bytes for shadow copy label strings", HFILL }},
7780 { &hf_smb2_auth_frame,
7781 { "Authenticated in Frame", "smb2.auth_frame", FT_UINT32, BASE_DEC,
7782 NULL, 0, "Which frame this user was authenticated in", HFILL }},
7784 { &hf_smb2_tcon_frame,
7785 { "Connected in Frame", "smb2.tcon_frame", FT_UINT32, BASE_DEC,
7786 NULL, 0, "Which frame this share was connected in", HFILL }},
7789 { "Tag", "smb2.tag", FT_STRING, BASE_NONE,
7790 NULL, 0, "Tag of chain entry", HFILL }},
7792 { &hf_smb2_acct_name,
7793 { "Account", "smb2.acct", FT_STRING, BASE_NONE,
7794 NULL, 0, "Account Name", HFILL }},
7796 { &hf_smb2_domain_name,
7797 { "Domain", "smb2.domain", FT_STRING, BASE_NONE,
7798 NULL, 0, "Domain Name", HFILL }},
7800 { &hf_smb2_host_name,
7801 { "Host", "smb2.host", FT_STRING, BASE_NONE,
7802 NULL, 0, "Host Name", HFILL }},
7804 { &hf_smb2_signature,
7805 { "Signature", "smb2.signature", FT_BYTES, BASE_NONE,
7806 NULL, 0, NULL, HFILL }},
7809 { "unknown", "smb2.unknown", FT_BYTES, BASE_NONE,
7810 NULL, 0, "Unknown bytes", HFILL }},
7812 { &hf_smb2_twrp_timestamp,
7813 { "Timestamp", "smb2.twrp_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7814 NULL, 0, "TWrp timestamp", HFILL }},
7816 { &hf_smb2_mxac_timestamp,
7817 { "Timestamp", "smb2.mxac_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
7818 NULL, 0, "MxAc timestamp", HFILL }},
7820 { &hf_smb2_mxac_status,
7821 { "Query Status", "smb2.mxac_status", FT_UINT32, BASE_HEX,
7822 VALS(NT_errors), 0, "NT Status code", HFILL }},
7824 { &hf_smb2_qfid_fid,
7825 { "Opaque File ID", "smb2.qfid_fid", FT_BYTES, BASE_NONE,
7826 NULL, 0, NULL, HFILL }},
7828 { &hf_smb2_ses_flags_guest,
7829 { "Guest", "smb2.ses_flags.guest", FT_BOOLEAN, 16,
7830 NULL, SES_FLAGS_GUEST, NULL, HFILL }},
7832 { &hf_smb2_ses_flags_null,
7833 { "Null", "smb2.ses_flags.null", FT_BOOLEAN, 16,
7834 NULL, SES_FLAGS_NULL, NULL, HFILL }},
7836 { &hf_smb2_secmode_flags_sign_required,
7837 { "Signing required", "smb2.sec_mode.sign_required", FT_BOOLEAN, 8,
7838 NULL, NEGPROT_SIGN_REQ, "Is signing required", HFILL }},
7840 { &hf_smb2_secmode_flags_sign_enabled,
7841 { "Signing enabled", "smb2.sec_mode.sign_enabled", FT_BOOLEAN, 8,
7842 NULL, NEGPROT_SIGN_ENABLED, "Is signing enabled", HFILL }},
7844 { &hf_smb2_ses_req_flags,
7845 { "Flags", "smb2.ses_req_flags", FT_UINT8, BASE_DEC,
7846 NULL, 0, NULL, HFILL }},
7848 { &hf_smb2_ses_req_flags_session_binding,
7849 { "Session Binding Request", "smb2.ses_req_flags.session_binding", FT_BOOLEAN, 8,
7850 NULL, SES_REQ_FLAGS_SESSION_BINDING,
7851 "The client wants to bind to an existing session", HFILL }},
7854 { "DFS", "smb2.capabilities.dfs", FT_BOOLEAN, 32,
7855 TFS(&tfs_cap_dfs), NEGPROT_CAP_DFS, "If the host supports dfs", HFILL }},
7857 { &hf_smb2_cap_leasing,
7858 { "LEASING", "smb2.capabilities.leasing", FT_BOOLEAN, 32,
7859 TFS(&tfs_cap_leasing), NEGPROT_CAP_LEASING,
7860 "If the host supports leasing", HFILL }},
7862 { &hf_smb2_cap_large_mtu,
7863 { "LARGE MTU", "smb2.capabilities.large_mtu", FT_BOOLEAN, 32,
7864 TFS(&tfs_cap_large_mtu), NEGPROT_CAP_LARGE_MTU,
7865 "If the host supports LARGE MTU", HFILL }},
7867 { &hf_smb2_cap_multi_channel,
7868 { "MULTI CHANNEL", "smb2.capabilities.multi_channel", FT_BOOLEAN, 32,
7869 TFS(&tfs_cap_multi_channel), NEGPROT_CAP_MULTI_CHANNEL,
7870 "If the host supports MULTI CHANNEL", HFILL }},
7872 { &hf_smb2_cap_persistent_handles,
7873 { "PERSISTENT HANDLES", "smb2.capabilities.persistent_handles", FT_BOOLEAN, 32,
7874 TFS(&tfs_cap_persistent_handles), NEGPROT_CAP_PERSISTENT_HANDLES,
7875 "If the host supports PERSISTENT HANDLES", HFILL }},
7877 { &hf_smb2_cap_directory_leasing,
7878 { "DIRECTORY LEASING", "smb2.capabilities.directory_leasing", FT_BOOLEAN, 32,
7879 TFS(&tfs_cap_directory_leasing), NEGPROT_CAP_DIRECTORY_LEASING,
7880 "If the host supports DIRECTORY LEASING", HFILL }},
7882 { &hf_smb2_cap_encryption,
7883 { "ENCRYPTION", "smb2.capabilities.encryption", FT_BOOLEAN, 32,
7884 TFS(&tfs_cap_encryption), NEGPROT_CAP_ENCRYPTION,
7885 "If the host supports ENCRYPTION", HFILL }},
7887 { &hf_smb2_max_trans_size,
7888 { "Max Transaction Size", "smb2.max_trans_size", FT_UINT32, BASE_DEC,
7889 NULL, 0, "Maximum size of a transaction", HFILL }},
7891 { &hf_smb2_max_read_size,
7892 { "Max Read Size", "smb2.max_read_size", FT_UINT32, BASE_DEC,
7893 NULL, 0, "Maximum size of a read", HFILL }},
7895 { &hf_smb2_max_write_size,
7896 { "Max Write Size", "smb2.max_write_size", FT_UINT32, BASE_DEC,
7897 NULL, 0, "Maximum size of a write", HFILL }},
7900 { "Channel", "smb2.channel", FT_UINT32, BASE_DEC,
7901 NULL, 0, NULL, HFILL }},
7903 { &hf_smb2_share_flags,
7904 { "Share flags", "smb2.share_flags", FT_UINT32, BASE_HEX,
7905 NULL, 0, NULL, HFILL }},
7907 { &hf_smb2_share_flags_dfs,
7908 { "DFS", "smb2.share_flags.dfs", FT_BOOLEAN, 32,
7909 NULL, SHARE_FLAGS_dfs, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }},
7911 { &hf_smb2_share_flags_dfs_root,
7912 { "DFS root", "smb2.share_flags.dfs_root", FT_BOOLEAN, 32,
7913 NULL, SHARE_FLAGS_dfs_root, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }},
7915 { &hf_smb2_share_flags_restrict_exclusive_opens,
7916 { "Restrict exclusive opens", "smb2.share_flags.restrict_exclusive_opens", FT_BOOLEAN, 32,
7917 NULL, SHARE_FLAGS_restrict_exclusive_opens, "The specified share disallows exclusive file opens that deny reads to an open file", HFILL }},
7919 { &hf_smb2_share_flags_force_shared_delete,
7920 { "Force shared delete", "smb2.share_flags.force_shared_delete", FT_BOOLEAN, 32,
7921 NULL, SHARE_FLAGS_force_shared_delete, "Shared files in the specified share can be forcibly deleted", HFILL }},
7923 { &hf_smb2_share_flags_allow_namespace_caching,
7924 { "Allow namepsace caching", "smb2.share_flags.allow_namespace_caching", FT_BOOLEAN, 32,
7925 NULL, SHARE_FLAGS_allow_namespace_caching, "Clients are allowed to cache the namespace of the specified share", HFILL }},
7927 { &hf_smb2_share_flags_access_based_dir_enum,
7928 { "Access based directory enum", "smb2.share_flags.access_based_dir_enum", FT_BOOLEAN, 32,
7929 NULL, SHARE_FLAGS_access_based_dir_enum, "The server will filter directory entries based on the access permissions of the client", HFILL }},
7931 { &hf_smb2_share_flags_force_levelii_oplock,
7932 { "Force level II oplock", "smb2.share_flags.force_levelii_oplock", FT_BOOLEAN, 32,
7933 NULL, SHARE_FLAGS_force_levelii_oplock, "The server will not issue exclusive caching rights on this share", HFILL }},
7935 { &hf_smb2_share_flags_enable_hash_v1,
7936 { "Enable hash V1", "smb2.share_flags.enable_hash_v1", FT_BOOLEAN, 32,
7937 NULL, SHARE_FLAGS_enable_hash_v1, "The share supports hash generation V1 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }},
7939 { &hf_smb2_share_flags_enable_hash_v2,
7940 { "Enable hash V2", "smb2.share_flags.enable_hash_v2", FT_BOOLEAN, 32,
7941 NULL, SHARE_FLAGS_enable_hash_v2, "The share supports hash generation V2 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }},
7943 { &hf_smb2_share_flags_encrypt_data,
7944 { "Encrypted data required", "smb2.share_flags.encrypt_data", FT_BOOLEAN, 32,
7945 NULL, SHARE_FLAGS_encryption_required, "The share require data encryption", HFILL }},
7947 { &hf_smb2_share_caching,
7948 { "Caching policy", "smb2.share.caching", FT_UINT32, BASE_HEX,
7949 VALS(share_cache_vals), 0, NULL, HFILL }},
7951 { &hf_smb2_share_caps,
7952 { "Share Capabilities", "smb2.share_caps", FT_UINT32, BASE_HEX,
7953 NULL, 0, NULL, HFILL }},
7955 { &hf_smb2_share_caps_dfs,
7956 { "DFS", "smb2.share_caps.dfs", FT_BOOLEAN, 32,
7957 NULL, SHARE_CAPS_DFS, "The specified share is present in a DFS tree structure", HFILL }},
7959 { &hf_smb2_share_caps_continuous_availability,
7960 { "CONTINUOUS AVAILABILITY", "smb2.share_caps.continuous_availability", FT_BOOLEAN, 32,
7961 NULL, SHARE_CAPS_CONTINUOUS_AVAILABILITY,
7962 "The specified share is continuously available", HFILL }},
7964 { &hf_smb2_share_caps_scaleout,
7965 { "SCALEOUT", "smb2.share_caps.scaleout", FT_BOOLEAN, 32,
7966 NULL, SHARE_CAPS_SCALEOUT,
7967 "The specified share is a scaleout share", HFILL }},
7969 { &hf_smb2_share_caps_cluster,
7970 { "CLUSTER", "smb2.share_caps.cluster", FT_BOOLEAN, 32,
7971 NULL, SHARE_CAPS_CLUSTER,
7972 "The specified share is a cluster share", HFILL }},
7974 { &hf_smb2_ioctl_flags,
7975 { "Flags", "smb2.ioctl.flags", FT_UINT32, BASE_HEX,
7976 NULL, 0, NULL, HFILL }},
7978 { &hf_smb2_min_count,
7979 { "Min Count", "smb2.min_count", FT_UINT32, BASE_DEC,
7980 NULL, 0, NULL, HFILL }},
7982 { &hf_smb2_remaining_bytes,
7983 { "Remaining Bytes", "smb2.remaining_bytes", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
7985 { &hf_smb2_channel_info_offset,
7986 { "Channel Info Offset", "smb2.channel_info_offset", FT_UINT16, BASE_DEC,
7987 NULL, 0, NULL, HFILL }},
7989 { &hf_smb2_channel_info_length,
7990 { "Channel Info Length", "smb2.channel_info_length", FT_UINT16, BASE_DEC,
7991 NULL, 0, NULL, HFILL }},
7993 { &hf_smb2_ioctl_is_fsctl,
7994 { "Is FSCTL", "smb2.ioctl.is_fsctl", FT_BOOLEAN, 32,
7995 NULL, 0x00000001, NULL, HFILL }},
7997 { &hf_smb2_output_buffer_len,
7998 { "Output Buffer Length", "smb2.output_buffer_len", FT_UINT16, BASE_DEC,
7999 NULL, 0, NULL, HFILL }},
8001 { &hf_smb2_close_pq_attrib,
8002 { "PostQuery Attrib", "smb2.close.pq_attrib", FT_BOOLEAN, 16,
8003 NULL, 0x0001, NULL, HFILL }},
8005 { &hf_smb2_notify_watch_tree,
8006 { "Watch Tree", "smb2.notify.watch_tree", FT_BOOLEAN, 16,
8007 NULL, 0x0001, NULL, HFILL }},
8009 { &hf_smb2_notify_out_data,
8010 { "Out Data", "smb2.notify.out", FT_NONE, BASE_NONE,
8011 NULL, 0, NULL, HFILL }},
8013 { &hf_smb2_find_flags_restart_scans,
8014 { "Restart Scans", "smb2.find.restart_scans", FT_BOOLEAN, 8,
8015 NULL, SMB2_FIND_FLAG_RESTART_SCANS, NULL, HFILL }},
8017 { &hf_smb2_find_flags_single_entry,
8018 { "Single Entry", "smb2.find.single_entry", FT_BOOLEAN, 8,
8019 NULL, SMB2_FIND_FLAG_SINGLE_ENTRY, NULL, HFILL }},
8021 { &hf_smb2_find_flags_index_specified,
8022 { "Index Specified", "smb2.find.index_specified", FT_BOOLEAN, 8,
8023 NULL, SMB2_FIND_FLAG_INDEX_SPECIFIED, NULL, HFILL }},
8025 { &hf_smb2_find_flags_reopen,
8026 { "Reopen", "smb2.find.reopen", FT_BOOLEAN, 8,
8027 NULL, SMB2_FIND_FLAG_REOPEN, NULL, HFILL }},
8029 { &hf_smb2_file_index,
8030 { "File Index", "smb2.file_index", FT_UINT32, BASE_HEX,
8031 NULL, 0, NULL, HFILL }},
8033 { &hf_smb2_file_directory_info,
8034 { "FileDirectoryInfo", "smb2.find.file_directory_info", FT_NONE, BASE_NONE,
8035 NULL, 0, NULL, HFILL }},
8037 { &hf_smb2_full_directory_info,
8038 { "FullDirectoryInfo", "smb2.find.full_directory_info", FT_NONE, BASE_NONE,
8039 NULL, 0, NULL, HFILL }},
8041 { &hf_smb2_both_directory_info,
8042 { "FileBothDirectoryInfo", "smb2.find.both_directory_info", FT_NONE, BASE_NONE,
8043 NULL, 0, NULL, HFILL }},
8045 { &hf_smb2_id_both_directory_info,
8046 { "FileIdBothDirectoryInfo", "smb2.find.id_both_directory_info", FT_NONE, BASE_NONE,
8047 NULL, 0, NULL, HFILL }},
8049 { &hf_smb2_short_name_len,
8050 { "Short Name Length", "smb2.short_name_len", FT_UINT8, BASE_DEC,
8051 NULL, 0, NULL, HFILL }},
8053 { &hf_smb2_short_name,
8054 { "Short Name", "smb2.shortname", FT_STRING, BASE_NONE,
8055 NULL, 0, NULL, HFILL }},
8057 { &hf_smb2_lock_info,
8058 { "Lock Info", "smb2.lock_info", FT_NONE, BASE_NONE,
8059 NULL, 0, NULL, HFILL }},
8061 { &hf_smb2_lock_length,
8062 { "Length", "smb2.lock_length", FT_UINT64, BASE_DEC,
8063 NULL, 0, NULL, HFILL }},
8065 { &hf_smb2_lock_flags,
8066 { "Flags", "smb2.lock_flags", FT_UINT32, BASE_HEX,
8067 NULL, 0, NULL, HFILL }},
8069 { &hf_smb2_lock_flags_shared,
8070 { "Shared", "smb2.lock_flags.shared", FT_BOOLEAN, 32,
8071 NULL, 0x00000001, NULL, HFILL }},
8073 { &hf_smb2_lock_flags_exclusive,
8074 { "Exclusive", "smb2.lock_flags.exclusive", FT_BOOLEAN, 32,
8075 NULL, 0x00000002, NULL, HFILL }},
8077 { &hf_smb2_lock_flags_unlock,
8078 { "Unlock", "smb2.lock_flags.unlock", FT_BOOLEAN, 32,
8079 NULL, 0x00000004, NULL, HFILL }},
8081 { &hf_smb2_lock_flags_fail_immediately,
8082 { "Fail Immediately", "smb2.lock_flags.fail_immediately", FT_BOOLEAN, 32,
8083 NULL, 0x00000010, NULL, HFILL }},
8085 { &hf_smb2_error_reserved,
8086 { "Reserved", "smb2.error.reserved", FT_UINT16, BASE_HEX,
8087 NULL, 0, NULL, HFILL }},
8089 { &hf_smb2_error_byte_count,
8090 { "Byte Count", "smb2.error.byte_count", FT_UINT32, BASE_DEC,
8091 NULL, 0, NULL, HFILL }},
8093 { &hf_smb2_error_data,
8094 { "Error Data", "smb2.error.data", FT_BYTES, BASE_NONE,
8095 NULL, 0, NULL, HFILL }},
8097 { &hf_smb2_reserved,
8098 { "Reserved", "smb2.reserved", FT_BYTES, BASE_NONE,
8099 NULL, 0, "Reserved bytes", HFILL }},
8101 { &hf_smb2_dhnq_buffer_reserved,
8102 { "Reserved", "smb2.dhnq_buffer_reserved", FT_UINT64, BASE_HEX,
8103 NULL, 0, NULL, HFILL}},
8105 { &hf_smb2_dh2x_buffer_timeout,
8106 { "Timeout", "smb2.dh2x.timeout", FT_UINT32, BASE_DEC,
8107 NULL, 0, NULL, HFILL}},
8109 { &hf_smb2_dh2x_buffer_flags,
8110 { "Flags", "smb2.dh2x.flags", FT_UINT32, BASE_HEX,
8111 NULL, 0, NULL, HFILL}},
8113 { &hf_smb2_dh2x_buffer_flags_persistent_handle,
8114 { "Persistent Handle", "smb2.dh2x.flags.persistent_handle", FT_BOOLEAN, 32,
8115 NULL, SMB2_DH2X_FLAGS_PERSISTENT_HANDLE, NULL, HFILL}},
8117 { &hf_smb2_dh2x_buffer_reserved,
8118 { "Reserved", "smb2.dh2x.reserved", FT_UINT64, BASE_HEX,
8119 NULL, 0, NULL, HFILL}},
8121 { &hf_smb2_dh2x_buffer_create_guid,
8122 { "Create Guid", "smb2.dh2x.create_guid", FT_GUID, BASE_NONE,
8123 NULL, 0, NULL, HFILL}},
8125 { &hf_smb2_APP_INSTANCE_buffer_struct_size,
8126 { "Struct Size", "smb2.app_instance.struct_size", FT_UINT16, BASE_DEC,
8127 NULL, 0, NULL, HFILL}},
8129 { &hf_smb2_APP_INSTANCE_buffer_reserved,
8130 { "Reserved", "smb2.app_instance.reserved", FT_UINT16, BASE_HEX,
8131 NULL, 0, NULL, HFILL}},
8133 { &hf_smb2_APP_INSTANCE_buffer_app_guid,
8134 { "Application Guid", "smb2.app_instance.app_guid", FT_GUID, BASE_NONE,
8135 NULL, 0, NULL, HFILL}},
8137 { &hf_smb2_transform_signature,
8138 { "Signature", "smb2.header.transform.signature", FT_BYTES, BASE_NONE,
8139 NULL, 0, NULL, HFILL }},
8141 { &hf_smb2_transform_nonce,
8142 { "Nonce", "smb2.header.transform.nonce", FT_BYTES, BASE_NONE,
8143 NULL, 0, NULL, HFILL }},
8145 { &hf_smb2_transform_msg_size,
8146 { "Message size", "smb2.header.transform.msg_size", FT_UINT32, BASE_DEC,
8147 NULL, 0, NULL, HFILL }},
8149 { &hf_smb2_transform_reserved,
8150 { "Reserved", "smb2.header.transform.reserved", FT_BYTES, BASE_NONE,
8151 NULL, 0, NULL, HFILL }},
8153 { &hf_smb2_transform_enc_alg,
8154 { "Encryption ALG", "smb2.header.transform.encryption_alg", FT_UINT16, BASE_HEX,
8155 NULL, 0, NULL, HFILL }},
8157 { &hf_smb2_encryption_aes128_ccm,
8158 { "SMB2_ENCRYPTION_AES128_CCM", "smb2.header.transform.enc_aes128_ccm", FT_BOOLEAN, 16,
8159 NULL, ENC_ALG_aes128_ccm, NULL, HFILL }},
8161 { &hf_smb2_transform_encrypted_data,
8162 { "Data", "smb2.header.transform.enc_data", FT_BYTES, BASE_NONE,
8163 NULL, 0, NULL, HFILL }},
8167 static gint *ett[] = {
8172 &ett_smb2_encrypted,
8175 &ett_smb2_file_basic_info,
8176 &ett_smb2_file_standard_info,
8177 &ett_smb2_file_internal_info,
8178 &ett_smb2_file_ea_info,
8179 &ett_smb2_file_access_info,
8180 &ett_smb2_file_rename_info,
8181 &ett_smb2_file_disposition_info,
8182 &ett_smb2_file_position_info,
8183 &ett_smb2_file_full_ea_info,
8184 &ett_smb2_file_mode_info,
8185 &ett_smb2_file_alignment_info,
8186 &ett_smb2_file_all_info,
8187 &ett_smb2_file_allocation_info,
8188 &ett_smb2_file_endoffile_info,
8189 &ett_smb2_file_alternate_name_info,
8190 &ett_smb2_file_stream_info,
8191 &ett_smb2_file_pipe_info,
8192 &ett_smb2_file_compression_info,
8193 &ett_smb2_file_network_open_info,
8194 &ett_smb2_file_attribute_tag_info,
8195 &ett_smb2_fs_info_01,
8196 &ett_smb2_fs_info_03,
8197 &ett_smb2_fs_info_04,
8198 &ett_smb2_fs_info_05,
8199 &ett_smb2_fs_info_06,
8200 &ett_smb2_fs_info_07,
8201 &ett_smb2_fs_objectid_info,
8202 &ett_smb2_sec_info_00,
8204 &ett_smb2_sesid_tree,
8205 &ett_smb2_create_chain_element,
8206 &ett_smb2_MxAc_buffer,
8207 &ett_smb2_QFid_buffer,
8208 &ett_smb2_RqLs_buffer,
8209 &ett_smb2_ioctl_function,
8210 &ett_smb2_FILE_OBJECTID_BUFFER,
8213 &ett_smb2_capabilities,
8214 &ett_smb2_ses_req_flags,
8215 &ett_smb2_ses_flags,
8216 &ett_smb2_create_rep_flags,
8217 &ett_smb2_lease_state,
8218 &ett_smb2_lease_flags,
8219 &ett_smb2_share_flags,
8220 &ett_smb2_share_caps,
8221 &ett_smb2_ioctl_flags,
8222 &ett_smb2_ioctl_network_interface,
8223 &ett_windows_sockaddr,
8224 &ett_smb2_close_flags,
8225 &ett_smb2_notify_flags,
8226 &ett_smb2_write_flags,
8227 &ett_smb2_find_flags,
8228 &ett_smb2_file_directory_info,
8229 &ett_smb2_both_directory_info,
8230 &ett_smb2_id_both_directory_info,
8231 &ett_smb2_full_directory_info,
8232 &ett_smb2_file_name_info,
8233 &ett_smb2_lock_info,
8234 &ett_smb2_lock_flags,
8235 &ett_smb2_DH2Q_buffer,
8236 &ett_smb2_DH2C_buffer,
8237 &ett_smb2_dh2x_flags,
8238 &ett_smb2_APP_INSTANCE_buffer,
8239 &ett_smb2_transform_enc_alg,
8240 &ett_smb2_buffercode,
8243 proto_smb2 = proto_register_protocol("SMB2 (Server Message Block Protocol version 2)",
8245 proto_register_subtree_array(ett, array_length(ett));
8246 proto_register_field_array(proto_smb2, hf, array_length(hf));
8248 smb2_module = prefs_register_protocol(proto_smb2, NULL);
8249 prefs_register_bool_preference(smb2_module, "eosmb2_take_name_as_fid",
8250 "Use the full file name as File ID when exporting an SMB2 object",
8251 "Whether the export object functionality will take the full path file name as file identifier",
8252 &eosmb2_take_name_as_fid);
8254 register_heur_dissector_list("smb2_heur_subdissectors", &smb2_heur_subdissector_list);
8255 smb2_tap = register_tap("smb2");
8256 smb2_eo_tap = register_tap("smb_eo"); /* SMB Export Object tap */
8261 proto_reg_handoff_smb2(void)
8263 gssapi_handle = find_dissector("gssapi");
8264 ntlmssp_handle = find_dissector("ntlmssp");
8265 heur_dissector_add("netbios", dissect_smb2_heur, proto_smb2);
8269 * Editor modelines - http://www.wireshark.org/tools/modelines.html
8274 * indent-tabs-mode: t
8277 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
8278 * :indentSize=8:tabSize=8:noTabs=false:
git.samba.org / metze / wireshark / wip.git / blob